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PREFACE 


This is the second volume of a two-volume report covering 
work performed in the period between June, 1978, and April, 
1981, on a project entitled "Definition and Analysis of Sys- 
tems Data Communication Structures." This project was spon- 
sored by the National Aeronautics and Space Administration, 
Langley Research Center, Hampton, Virginia. The Technical 
Contract Monitor was Mr. J. Larry Spencer. 

The first volume is primarily concerned with communica- 
tion methodology, while this volume treats communication is- 
sues at the aircraft system level. 

The authors would like to express their gratitude to the 
personnel of NASA Langley who, along with Mr. Spencer, have 
made significant technical contributions to this work, espe- 
cially Messrs. Brian Lupton and Nicholas Murray. Thanks are 
also due to Mr. Billy Dove, whose foresight and confidence 
made this project possible. 
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Chapter 1 


INTRODUCTION 


The objective of this study is to develop a technology 
base consisting of concepts^ data, and trade-off analyses to 
support the design of the data communication structures for 
future aircraft avionic systems. For this study, avionics 
is broadly defined to include almost all electronic func- 
tions expected to be performed on future aircraft. These 
functions extend from life critical fly-by-wire active con- 
trol to the maintenance support. 

In this study, we assume that the design of future avion- 
ic systems will be highly integrated and that a fault-toler- 
ant computer system will be the heart of the system. The 
communication system studied is thus primarily to provide 
the necessary data transfer between the fault-tolerant com- 
puter and the sensors, displays, controls, and actuators 
necessary to perform all required avionic functions. This 
study consists of the identification of a number of alterna- 
tives for providing this communication function, and an 
analysis of their relative char ac ter is tics , including: per- 

formance, cost, reliability, and maintainability. 

An initial decision was made that a study of communica- 
tion systems could not be effectively conducted in isolation 
from the systems in which they are used. The approach taken 
for this study is first to establish as realistic an envi- 
ronment as possible for the communication problem. This en- 
vironment is established first by defining a set of func- 
tional ^nd operational requirements that must be met by the 
avionic systems in a future target time period. Next, a set 
of basic hardware elements is hypothesized that would be 
necessary to meet these requirements. A range of potential 
system configurations are then studied that would organize 
the hardware elements. From this study, three basic system 
configurations are chosen to represent the system configura- 
tions most likely to emerge at various stages of future de- 
velopment. Communication structures are then studied in the 
context of these system configurations. 

Alternative communication structures are designed for 
each system configuration. A relatively complete descrip- 
tion for each of these total systems gives a more concise 
picture of of the communication problem. Each system is 
then analyzed to provide trade-off information among the 
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communication alternatives. An extensive reliability and 
throughput capacity analysis is performed on the candidate 
systems to assure that each meets the requirements. These 
analyses establish the basis for a trade-off comparison 
among candidates. The alternative systems are then compared 
in terms of relative complexity and other factors that could 
affect the choice for the most effective system for a par- 
ticular application. 

The following chapter gives the baseline system require- 
ments to be met by the avionics system. Chapter 3 discusses 
the baseline equipment requirements. Chapter 4 defines al- 
ternate system configurations that represent those to be 
used in the future to meet these requirements. Chapter 5 
gives the alternate communication structures for each of 
three representative system configurations and a description 
of each total system. Chapter 6 presents the results of the 
trade-off analysis of these system alternatives. Chapter 7 
provides the conclusions and recommendations. 


Chapter 2 


BASELINE REQUIREMENTS FOR DATA COMMUNICATION 

STRUCTURES 


The purpose of this chapter is to establish baseline re- 
quirements for the study of data communication structures. 
The requirements are based on considerations in the foil ow- 
ing areas 5 The first consideration is the target time peri- 
od where it is expected that the proposed communication 
structures be used. The next consideration is the defini- 
tion of a representative set of functions to be performed by 
the avionics system and supported by the communication 
structure. The characteristics and requirements for these 
functions are discussed along with the operational ground 
rules for the aircraft. Finally, the system reliability re- 
quirements are discussed as well as the hazard environment 
in which this reliability must be achieved. 


2 . 1 TIME PERIOD CONSIDERATIONS 

It is important to establish the time periods when the 
results of the research program should be used. The time 
period is needed to determine both the functional require- 
ments for the communication structure and the technology 
likely available to implement the system. 

The time period considered for this study includes a 
range of times, beginning with the earliest time the results 
of this work can be applied, and extending to an indefinite 
time in the future when the data communication system will 
be used in a full flight-critical active control system. 
The introduction of digital communications will most likely 
be evolutionary. Aircraft currently being developed exten- 
sively use digital communication. In future aircraft, the 
percentage of the avionics system involved in digital commu- 
nication and the criticality of those communications are 
both expected to increase. This study will contribute to 
the technology base necessary to develop the most effective 
communication system through that time period. 

The communication structure cannot be developed as inde- 
pendently as can individual devices, such as displays or 
sensors. These latter items can be developed at their own 
pace and then introduced into a system when they are ready 
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or required. The communication structure is integral with 
the total system and is thus more dependent on the functions 
and requirements of the total system. Therefore, it is im- 
portant to estimate the time periods when the systems are 
used, as well as to estimate the expected requirements for 
those systems, to create a realistic context to develop the 
most effective communication structure. 

The time period for this study is largely determined by 
the purposes of NASA research. The purpose of NASA is not 
usually to develop systems themselves, but rather to develop 
the technology base for these systems. The technology base 
must therefore be established sufficiently prior to the time 
the definition and development of the actual systems starts. 
This situation establishes the early bound for the target 
time period. 
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The standardization process will also influence the in- 
troduction of new technology in commercial avionics. The 
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Figure 1 s Generations q± Aircraft Development 


advantage to justify the cost of developing neu standards 
and neu equipment, or if neu requirements emerge that cannot 
be met by the current equipment. In either case, neu char- 
acteristics that use a neu communication structure uould not 
be introduced before the next major neu aircraft development 
cycle. The timing of the next major aircraft development 
cycle uill be primarily influenced by technology and the 
economy. By looking at past experience, as shoun in Figure 
1, the go-ahead for the next generation uill be around 1987 
uith service to begin in 1990. The technology for this neu 
aircraft must exist and be fully demonstrated at least one 
to four years before the go-ahead date. Thus, around 1985 
uill be the beginning of the time period covered by this 
study . 
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2 . 2 AIRCRAFT OPERATIONAL GROUNDRULES 

The communication system should be a part of a total sys- 
tem to achieve as high a level of self -monitor ing and self- 
correction as possible. This capability is necessary for 
both flight operations and maintenance. The design goal is 
that all single failures and most multiple failures be oper- 
ationally invisible to the creu. The failed component 
should be automatically identified to a high degree of con- 
fidence so that unconfirmed removals are almost eliminated. 
The system should also be capable of automatically checking 
out and revalidating itself after repairs. 


The aircraft is assumed to be certified for full 
III B autoland capability. The aircraft should be 
chable, at least uith Category II capability, uith 
gle failure and most combinations of failures. 


Category 
dispat- 
any sin- 
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2 . 3 


AIRCRAFT FUNCTIONAL REgUIREMENTS 


To establish the scope of the task to be accomplished by 
the communication system, some idea should be obtained about 
the functions performed by the equipment using the system. 
For this purpose, a set of functions to be performed by the 
avionics system is presented, along uith the char ac ter is tics 
and requirements of those functions important for the commu- 
nication system. This list is not the result of a defini- 
tive design of any particular airplane, but is considered 
adequate to establish the requirements for the communication 
system . 

An assumption made for the purpose of this study is that 
the communication system will be involved in virtually all 
electronic functions on the aircraft. The resulting avion- 
ics system is not necessarily highly integrated, although 
such integration is a strong possibility, and the communica- 
tion system should be capable of supporting that possibili- 
ty. In any case, the majority of all data transfer within 
the aircraft will use digital communication with a common 
format except in a few cases where dedicated links are nec- 
essary for the most effective design. Consequently, the 
functions listed here include all electronic functions per- 
formed now or expected to be performed in the target time 
period. The expected evolution of these functions during 
the time period is also discussed. The only major function 
assumed to remain independent (and is thus not included) is 
the passenger service and entertainment system. 


The 

egories 

functions are discussed in the following 

1 ) 

flight control 


2 ) 

flight monitoring 

and warning 

3) 

flight management 


4) 

navigation 


5) 

communications and 

surveillance 

6) 

engine control and 

monitoring 

7) 

aircraft systems management 

8) 

aircraft and systems support functions 


This chapter 
ing chapter 
necessary to 


discusses the functions 
discusses the equipment 
implement the functions 


themselves; the follow- 
and data requirements 
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2.3.1 Flight Control Functions 


The flight control functions are crucial in establishing 
the requirements for the communication system. Flight con- 
trol is presumably the most flight-critical function and has 
some of the most stringent requirements for data rate and 
transport delay. Flight control will also probably change 
significantly during the target time period. The extent and 
complexity of these functions will presumably increase, and, 
in particular, the degree of flight criticality will become 
much greater. The categories of flight control functions 
include: stability and command augmentation, structural load 

relief, flight path control, and control surface linkage 
(fly-by-wire). These functions are described in the follow- 
ing paragraphs, along with an estimate of the functional 
failure rate requirement for each. 


2 . 3 . 1 . 1 


Stability and Command Augmentation 


The stability and command augmentation functions provide 
commands to the control surfaces that modify the inherent 
aerodynamic characteristics of the basic aircraft on the ba- 
sis of inputs from flight data sensors. A typical stability 
augmentation function used for a number of years and ex- 
pected to continue to be used, is a yaw damper that reduces 
undesirable Dutch roll oscillations. Stability augmentation 
functions are expected to increase significantly in the tar- 
get time period as equipment capability and reliability make 
possible the design of more efficient airframes. One of the 
most important in this category is reduced longitudinal 
static stability. The reduction of the inherent static sta- 
bility will allow for the reduction of both trim drag and 
the size of the horizontal tail. The ultimate will be a 
completely unstable aircraft. 


Command augmentation uses sensor data to augment the com- 
mands from the pilot. These functions are also expected to 
increase to improve the handling qualities of increasingly 
more complex aircraft. These functions will impact the com- 
munication requirements in both data rate and reliability. 
To maintain a stable system, maintenance of a minimum data 
rate and minimization of the maximum total delay from sensor 
input to control output are necessary. These requirements 
will vary for different aircraft. Nominal rates of 50 sam- 
ples per second with a maximum transport delay of 20 milli- 
seconds is assumed here as representative. 


The reliability requirements are likely to 
greatest impact on the communication system, 
ning of the time period the stability augmentat 
are not totally flight critical. However, a c 


have 

the 

At the 

begin- 
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fail- 
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ure of the augmentation function may substantially reduce 
the operational flight envelope of the aircraft and increase 
the probability of an accident. Consequently, it will be 
highly desirable for these functions to have a failure rate 
between 10’^ and 10"^ per hour. At the other end of the 

time period, one assumes that the aircraft is completely un- 
stable over a significant percentage of the flight regime so 
that a total loss of the stability augmentation system leads 
to an immediate loss of the aircraft. The communication 
system then must support a total system that has failure 
rate of less than 10"^ per hour. 


2.3. 1.2 Structural Load Relief Functions 

Structural load relief functions are those active control 
functions that allow relaxation of the basic structural re- 
quirements, making a more efficient structural design possi- 
ble. The functions include- maneuver load control, gust 
load alleviation, elastic mode suppression, and flutter con- 
trol. These functions are also expected to increase during 
the target time period. 

These functions will not be as flight critical as the 
stability augmentation functions. A failure may cause oper- 
ational restrictions. However, an aircraft will not be made 
so structurally weak that it immediately fails when the ac- 
tive control system fails. The only exception envisioned is 
a structure with a flutter mode within the normal operating 
speeds; however, we assume that a flutter mode with this de- 
gree of criticality will not be used during the target time 
period. Thus, the reliability requirement for the structur- 
al load relief functions is expected to range from 10’^ to 
10"^ per hour over the time period. 

Possibly the most important impact the structural relief 
functions will have on the communication system is the high 
data rate requirement for flutter control. The actual re- 
quirement will depend on the flutter frequency for the par- 
ticular aircraft. The requirement placed on the communica- 
tion system will also depend on the organisation of the 
control system. The load will be greatest if the system re- 
quires that the sensor signals and actuator signals be han- 
dled by the primary communication system. The data rate re- 
quirements may be so great that dedicated signal lines are 
used for this function to remove the load from the primary 
system. Possible flutter frequencies range from 15 to 25 
Hs. With required samples rates of at least twice and up to 
ten times the frequency, sampling rates will range from 30 
to 250 times per second, with a sample rate of 100 times per 
second assumed here. 
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2 . 3 . 1 . 3 


Flight Path Control Functions 


The flight path control functions cause the aircraft to 
automatically follow a desired path in space and time. 
These functions includes the traditional autopilot modes of 
attitude hold, heading select/hold, altitude select/hold, 
speed select/hold, vertical speed hold, etc. These func- 
tions also include the automatic throttle and automatic 
landing functions, and, in the future, will provide complete 
time referenced flight path control from takeoff to landing. 

These functions are not expected to place any additional 
critical requirements on the communication system. The data 
rate requirements are not expected to be high. The most 
flight critical function will be automatic landing. The re- 
quirements will not be any higher than those already 
achieved. Because of the low exposure time, the equipment 
failure rate requirement will range from 10’^ to 10’® per 
hour . 


2.3. 1.4 Flight Control Linkage 

Included here as a flight control function is the linkage 
between the automatic control system or the pilot and the 
control surface. Most aircraft now have dedicated analog 
electrical signals from the electronic system to the surface 
actuators. Almost all aircraft (except the F-16) retain a 
mechanical linkage from the pilot to the critical control 
surfaces. It is expected that during the target time period 
the advantages of removing the mechanical linkage will be 
significant, particularly as the control surfaces become 
more complex to support structural load relief functions. 
Future systems are also likely to locate the servo electron- 
ics integrally within the servos. As these changes occur, 
they are likely to put some of the most severe requirements 
on the communication system. A complete failure in communi- 
cations will result in an immediate loss of the aircraft. 
The reliability requirements will thus be essentially the 
same for a completely unstable airplane. The communication 
system will have to support a total system with a failure 
rate of less than 10"® per hour. 


2.3.2 Flicrht Monitoring and Warning Functions 

Flight monitoring and warning functions are presently a 
collection of warning functions for such conditions like ^ 
stall, overspeed, off altitude, gear up, ground proximity, 
etc. Warnings to be added in the near future are wind shear 
and mid air collision. Hopefully, during the target time 
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period, much broader, more comprehensive and integrated 
functions uill be performed to assure that the aircraft is 
always floun within a safe flight envelope, thus signifi- 
cantly increasing flight safety. 

These functions will unlikely place any unique require- 
ments on the communication system . The only influence will 
be by the addition of any unique parameters to the data that 
must be communicated, A high degree of confidence must be 
placed on the reliability of these functions, although it is 
improbable that a failure will be the direct cause of an ac- 
cident. The required reliability is thus less than that of 
flight control functions. 


2.3.3 Flight Management Functions 

Flight management functions are those capabilities that 
assist the crew in conducting the flight. Included are •• 
flight planning, navigation data handling, communication 
system management, optimal flight path computation, etc. 
These functions are not expected to place any significant 
reliability or data rate requirement on the communication 
system. The most significant requirement will be provisions 
for handling and updating large amounts of data. Presum- 
ably, .some large capacity data storage device will be in- 
cluded in the system, such as tape, disk, or possibly a new 
technology, such as bubble memory. The data will have to be 
updated periodically with a a carry-on device, such as a 
tape cartridge, or by data link using a VHF radio. Depend- 
ing on the configuration of the systems, there may be a re- 
quirement for the communication system to move this data ef- 
fectively. 


2.3.4 Navigation Functions 

The navigation function includes all of the sensors used 
primarily for navigation. These sensors include all those 
used now, plus those expected to be added during the target 
time period. The present sensors are VHF omni range (VOR), 
distance measuring equipment (DME), automatic direction fin- 
der (ADF), marker beacon, instrument landing system (ILS), 
inertial, and Omega, while the new systems are the microwave 
landing system (MLS) and the Global Positioning System 
(GPS). The inertial navigation sensors are integrated into 
the flight control/instrumentation inertial sensors. Loran 
and doppler navigation are not included. 

The trend during the target time period is assumed to be 
toward greater integration of the navigation function. Data 


from the various sens 
estimate of the aircr 
sensors to calibrate 
tion should increase 
but not to a signific 
trol functions. Also 
be as great. 


ors will be combined to obtain the best 
aft’s position^ and also to allow the 
and monitor each other. This integra- 
the load on the communication system, 
ant degree relative to the flight con- 
, the reliability requirements will not 


2 . 3.5 


Communication and Surveillance Functions 


The traditional voice communications on VHF and HF radi 
will have little impact on the internal aircraft communic 
tion system. These radios will be interfaced into the sy 
tern to allow centralised communication frequency managemen 
The reliability of this radio control function must be hi 
but not as high as the flight control functions. 


os 
a- 
s- 
t . 
gh 


A more significant impact on the aircraft communication 
system will come from the data link functions. During the 
target time period, there will be an extensive and growing 
utilization of digital data link. Data links are assumed 

both through the ARIHC system using VHF and possibly HF for 
airline operational, maintenance, and passenger service mes- 
sages, and through the Air Traffic Control (ATC) system us- 
ing the Discrete Address Beacon System (DABS) data link for 
ATC commands, operational data, weather data, etc. 


The primary impact of the ARINC dat 
ing and transferring of the data that 
link messages. Most of this data will 
er reasons. However, a few new termin 
tion network will most likely be dedi 
functions, such as a cabin teletype ter 
data link is not expected to place cri 
ments on the communication system. A 

troller and data buffer is part of the 
(modem), so that the internal aircraft 
is not directly involved in the timing 
spending to ground interrogations. 


a link is the gather- 
will make up the data 
be available for oth- 
als on the communica- 
cated to data link 
minal. The ARIHC VHF 
tical timing require- 
dedicated link con- 
modulator/demodulator 
communication system 
requirements of re- 


The DABS data link will place similar requirements on the 
aircraft communication system. The primary requirement will 
be the distribution of data coming up through the link to 
the appropriate devices and the collection of the data to be 
sent back down the link. A buffer is expected to lie be- 
tween the DABS modem and internal communication structure. 

A data communication interface has been defined as a part of 
the proposed technical characteristic for DABS.^ This system 
c an communicate DABS messages in both directions to the ap- 
propriate peripheral devices, used primarily on smaller air- 
craft with no other data communication system. This system 
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has timing requirements too severe to be made directly 
compatible with an aircraft communication system. For exam- 
ple, response time to a message must be as short as 4 micro- 
seconds. Thus, a dedicated buffer is used so the internal 
communication system will be relieved of these extremely 
tight timing requirements . 


2.3.6 Engine Control and Monitoring Functions 

The thrust command is transmitted to current aircraft en- 
gines by mechanical linkage. During the target time period, 
thrust control will be transmitted electrically, similar to 
commands to the aerodynamic control surfaces. Electrical 
commands for thrust will probably be introduced sooner than 
for aerodynamic commands. Initially, these commands may use 
dedicated wire. However, by the end of the time period, 
these commands will presumably be handled by the communica- 
tion system. The primary impact will be the reliability re- 
quirement which will be essentially the same as for flight 
control . 

Also, there will be electronics directly associated with 
the engine for control and data acquisition. The communica- 
tion system will be responsible for supplying the engine 
electronics with necessary aircraft data, such as air data, 
and for transferring data needed for cockpit engine instru- 
mentation ,. and for safety and maintenance monitoring. These 
communications will have a moderate data rate and reliabili- 
ty requirement and thus not put constraints on the communi- 
cation system. 

In the future, the possibility exists that for environ- 
mental or other reasons, the engine control will be removed 
from the engine. In this case, the data rate and transport 
delay requirements from engine sensor inputs to fuel flow 
control outputs will be very tight; however, that this sepa- 
ration will be made during the target time period, for both 
technical and management reasons, is highly unlikely. 


2.3.7 Aircraft Systems Management 

The management/control, and particularly the display for 
all aircraft systems, are expected to become more integrated 
in the future. Traditionally, most of these systems were 
designed and built independently with separate controls and 
displays with dedicated wiring. As these systems grew more 
complex, the clutter and confusion in the cockpit became un- 
manageable. Thus, from the beginning of the target time 
period integrated displays will be used. The integration of 


signals required to support an advanced display system 
encourages the inclusion of many auxiliary functions into a 
more integrated system. Several new ones that cannot be 
easily identified will probably be added. Aircraft systems 
likely to be involved in the data integration include: the 

fuel system, electrical system, hydraulic system, landing 
gear and brakes, environmental control system, weight and 
balance, auxiliary power system, and pneumatic/anti-ice sys- 
tem . 

The integration of this data will have a major impact on 
the communication system because of the sheer magnitude, the 
number of signals involved, and their locations. The total 
reliability of all these functions must be high but not as 
high as the flight control functions. A major question to 
consider in the system design is the degree to which all of 
these auxiliary functions can be integrated with the primary 
flight control functions, without degrading the reliability 
of the more critical flight control functions. The answers 
to these questions are beyond the scope of this study. The 
assumption made here is that the communication structure 
should be capable of handling completely integrated systems 
to allow system designers freedom to develop the most effec- 
tive approach. 


2.3.8 Aircraft and System Support Functions 


During the target time period, an incre 
will be placed on electronics to optimise 
effectiveness of aircraft. This trend will 
at least two ways: The rapid development 

technology means that the cost of electron! 
benefits gained is constantly shifting in 
electronics, and the ability to synergistica 
ities that already exist to perform existing 
functions envisioned involve increased use o 
itoring, testing, and reconfiguration manage 
pabilities will identify more easily and ac 
equipment or degraded performance, to allow 
be anticipated, and to avoid operational del 
pabilities will also: aid in system checkou 

are made, assist in record keeping for main 
purposes, and identify more quickly trouble 
need basic redesign. 
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One of the most important elements of the maintenance 
support function is the avionics system itself. Efficient 
methods will be needed to maintain the required high level 
of reliability and to confirm that this reliability is rees- 
tablished after repairs are made. This automated mainte- 
nance function will be required to assist in maintaining the 
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certifiction of the system. Some contemporary flight 
control systems use separate hardware for this function, but 
future systems are anticipated to incorporate this function 
into the primary system. 

Much of the sensor information and processing capability 
to perform these functions will already exist in the system, 
although many more will most likely be added. The major im- 
pact on the communication system will be the large number 
and diversity of signals that must be handled. 


2.3.9 


Summary of Functional Requirements 


The major factors that influence the communication system 
resulting from this functional requirements study are summa- 
rised here. The highest reliability requirements result 
from the stability augmentation and control surface linkage 
(fly-by-wire) flight control function. The flight control 
system must, at the beginning of the target time period, 
support a near-neutr ally stable aircraft in some parts of 
the flight envelope, while progressing to a completely un- 
stable aircraft by the end of the time period. During this 
period, the mechanical linkages are removed. The required 
failure rate for these functions is 10"^ per hour at the be- 
ginning of the time period, and decreasing to 10’ ’ by the 
end. The failure rate which can be apportioned to the com- 
munication system will depend on the design of the system. 
However, communications should only contribute a relatively 
small part of the total. Failure rate requirements for the 
probability of a complete failure to communicate the minimum 
information necessary to perform the flight critical func- 
tions range from 1 to 3 times 10’® per hour at the beginning 
of the time period and 1 to 3 times 10’^® at the end. 


The most severe data rate and transport delay require- 
ments result from the flutter control function. The assumed 
maximum data rate requirement is 100 samples per second. 
The rate requirement is assumed to drop to 50 samples per 
second when the function is performed by a dedicated system. 


The total capacity requirements and the extent to which 
the communications are localized throughout the aircraft de- 
pend on where the servo-electronics are located and how ex- 
tensively the system is integrated, particularly with auxil- 
iary functions. The following paragraphs discuss the 
environment in which these requirements must be met: 
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2 . 4 


HAZARD ENVIRONMENT 


The fundamental requirements that all candidate communi- 
cation systems must meet are: first, they must perform the 

basic communication tasks; second, they must perform these 
tasks reliably; and third, the technique must be practical 
from the cost, operational, and maintenance points of view. 
The preceding section established baseline requirements for 
the communication tasks and the reliability that these tasks 
must be performed. This section discusses the hazard envi- 
ronment in which the reliability requirement must be met. 
The hazard categories include: random equipment failures, 

specification errors, and induced failures. 


2.4.1 Random Equipment Failures 


The communication system must meet the reliability re- 
quirements in an environment where the equipment malfunc- 
tions from random failures. Each component of the active 
and passive equipment used to perform the communication 
function may fail to perform its required task. These fail- 
ures are normally caused by the interaction of environmental 
stress, or a particular operational situation with an inher- 
ent manufacturing fault in that component, or a deteriora- 
tion in capability since it was manufactured. These fail- 
ures are assumed to be random, with little correlation with 
each other. The rate of failure is determined by the quali- 
ty of the original manufacturing, the extent of initial 
equipment burn-in, the thoroughness of initial tests, and by 
the environmental experience, both accumulative and instan- 
taneous. The statistical failure rate for most of the com- 
ponents that will comprise the communication system are rel- 
atively well known, based on past experience with that, or 
similar components. The environmental stress on the compo- 
nents will be a function of location, and are assumed to be 
defined by Radio Technical Commission for Aeronautics 
DO- 160.3 


The reliability that can be achieved by individual elec- 
tronic components does not normally approach the levels re- 
quired for the system. Therefore, the system must be built 
to tolerate all potential faults in the electronic hardware. 
The system must be designed to detect and isolate any poten- 
tial failure that cannot itself be shown to have a probabil- 
ity of occurrence significantly less than that required for 
the system. When a failure is detected, the system must 
have sufficient additional resources so that the essential 
functions can continue to be performed. Analysis is neces- 
sary to show that the reliability of the failure detection, 
isolation, and reconfiguration meets the total system reli- 
ability requirements in an environment of random equipment 
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failure rates. For this study, the component failure rates 
relatively well defined and available from such sources as 
riIL-HNBK-2 17B . 


2.4.2 Specification Errors 

The design of a communication system to meet reliability 
requirements approaching 1 0 ‘ ^ failures per hour in the 
presence of random failures is a difficult but achievable 
task using techniques beginning to mature. As these goals 
are achieved, the relative importance of other potential 
causes of system failure increases. An important category 
of potential failure sources are identified here as specifi- 
cation errors, which include: generic faults in the design 

of the system hardware or software, errors in the manufac- 
turing process itself, and errors in the operation of the 
system. When redundant channels provide coverage for random 
failures, specification errors may become a dominant source 
of failure because they can affect all redundant channels 
simultaneously to cause a complete system failure. 

These faults are more difficult to define, estimate the 
probability of occurrence, and provide protection against. 
By definition, almost no actual experience can help to un- 
derstand these types of failures or estimate their rate of 
occurrence. This situation is illustrated by the following 
fact*- If a particular design is accepted as a standard and 
used on all commercial aircraft for a typical generation of 
15 years, the total flight time is estimated to be between 
10® and 10® hours. Thus, if no failure arises (or only one) 
during this time period, it will contribute little to an in- 
creased unders tanding and prove little about the statistics. 
In any case, the information will be too late since the risk 
will already be taken. Therefore, the system must be de- 
signed such that it is theoretically close to impossible to 
have a life-critical failure in the system. 

Two approaches to the problem are suggested here: First, 

the basic design can be done so that it is extremely impro- 
bable that any error exists in the hardware or controlling 
software. Some of the techniques which might be used to ac- 
complish this error free design are ^ 

strict requirements specification standards 
Enforced design methods standards 
Achieving the simplest possible design 
Using a design that can be proven correct 
mathematically 

Using independent design verification and 
validation teams. 
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The other approach i 
there is no single link 
design error to cause a 
nique means there are re 
have dissimilar design^ 
to provide all critical 
not use the same design 


s to design the system such that 
in the design which allows any one 
complete system failure. • This tech- 
dundant channels, where the channels 
or where there is some backup means 
functions. The backup system would 
as the primary system. 


2.4.3 Induced Failures 

The final hazards discussed here arise from external 
events. The probability that the communication system con- 
tinues to provide critical functions after the occurrence of 
one of these events must be proportional to the probability 
of that event. The external events considered here are: 
physical damage, fire, lightning, and extreme deviation from 
the design environment, including temperature, vibration, 
shock , and EMI . 


2.4.3. 1 Physical Damage and Fire 

The probability that physical damage and fire will affect 
the communication system can be significant relative to the 
very low failure rates required. Physical damage can result 
from the following: collision with other aircraft, birds, 

the ground or other stationary objects; excessive aerodynam- 
ic loads, caused by abrupt maneuver or turbulence; explosion 
(terrorist or accidental); massive failure of engine or oth- 
er equipment, such as an air conditioning turbine, including 
the effects of parts thrown out; loose objects, such as car- 
go; and damage due to rapid decompression. Also, fire can 
result from many of the same causes, in addition to massive 
failure of electrical and electronic equipment, cargo fires, 
accidental trash fire, such as a cigarette in a waste con- 
tainer, etc. Physical damages may also include liquid dam- 
age from fuel, hydraulic, galley, and toilet leaks. 


The requirement for the communication system is that it 
continue to provide all flight critical functions after any 
damage or fire that is not so severe as to prevent flight 
otherwise. In other words, the primary cause of an accident 
should not be damage to the communication system. The prob- 
ability that the communication system can survive the damage 
is proportional to the probability of that damage. 


To obtain an initial estimate 
communication system is damaged, 
air carrier accidents between 1964 
of the accidents in the Annual Re 


of the probability that a 
a survey was made of all 
and 1977.5 6 The briefs 

views of Aircraft Accident 
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Data, published by the National Transpo 
(NTSB), were used. For each accident, 
first made on whether, if an advanced c 
were used, damage to that system could 
an accident. Two classes of accidents 
those where it was judged unlikely that 
nication system would be damaged, and 
suits of the accident would be the same 
cation system were damaged or not. A to 
were included, 57 of these were conside 
communicaton system damage could have be 


rtation Safety Board 
a determination was 
ommunication system 
have contributed to 
were eliminated: 
any part of a commu- 
those where the re- 
whether the communi- 
tal of 722 accidents 
red to be ones where 
en a factor . 


For each of these accidents, rough estimates are made in 
three categories: the probability of at least one electrical 

cable containing a communication line or communication ter- 
minal was damaged, the probability that more than one line 
or terminal was damaged, and the probability that one par- 
ticular area in the airplane was damaged which would corre- 
spond to a controller of the communication system. These 
probabilities were summed to get a total number of events. 
The results were: 16.7 events for one line or terminal, 5.3 

for more then one, and 0.4 for a control center. The total 
operating hours for this time period was 70.6 million hours. 
The probability rates for damage events per hour are thus 
2.4 X 10"^ for one line, 7.5 x 10’® for two lines, and 6 x 
10*® for a control center. Hot included are incidents which 
may have caused damage not serious enough to report. It is 
also assumed that no unusual care was taken to protect 
against damage. A more thorough analysis of selected acci- 
dents and incidents is necessary to increase confidence in 
these numbers. (A more complete description of the analysis 
performed to estimate these damage probabilities is given in 
Appendix A . ) 


2-4.4 LiqhtnincT 


Lightning is also a significant component of the 
environment for a communication system which achiev 
reliability by redundancy and fault tolerance. Two 
must be considered: First, the probability that a 1 

event with particular charac teris tics occurs, and 
the probability that, given lightning has these char 
tics, the system fails. 
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The probability that an aircraft will be struck by light- 
ning depends on the altitude, location in the world, and 
time of year. Data gathered by the UK for both European and 
world-wide operations found strike incidence rates varying 
from one in 780 hours to one in 19000 hours. The commonly 
accepted rate is once per year or once per 3000 hours. The 
indirect effects of lightning flashes nearby, but not strik- 
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ing the aircraft, may also be significant uhen considering 
any effects on the communication system. The rates for 
nearby strikes are not knoun, but are not assumed to be sig- 
nificantly more than double the direct strike rate. 


The effects of a 
system depend on the 
of the strike. The 


lightning strike on the 
varying intensity and ch 
assumed distributions for 
teristics are given in NASA Reference Publi 
Lightning Protection of Aircraft , pages 21 to 
case strike is the same as that used for the 
design and given in Figure 2. 


communication 
ar ac ter is tics 
these charac- 
cation 1008, 
16.^ The worst 
Space Shuttle 



Figure 2 - 


Diagrammatic 


Representation of Lightning Model 


The probability that a lightning strike with certain 
characteristics will produce an error or cause a complete 
failure of a particular communication system is difficult to 
estimate. The mechanisms by which lightning might induce 
failures are not well understood, but depend on the design 
of the particular system, how it is installed in the air- 
craft, and how it is protected from the effects of light- 
ning . 
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A first estimate of the probability of effects of light- 
ning on the system is obtained from past experience of indi- 
rect effects of lightning on commercial aircraft, as report- 
ed in NASA Reference Publication 1008, page 100. The inter- 
ference and outages on equipment, with direct connections 
outside the aircraft through antennas, etc., were assumed 
not to apply to the internal communication system. The to- 
tal of the other cases gave interference in 12% of the 
strikes and outages in 7%. Thus, the first estimate gives a 
probability of 4 x 10”^ per hour of some interference, and a 
probability of 2.5 x 10"*^ per hour of some damage. 


Some of the candidate advanced communication systems may 
be more susceptible than current equipment due, for example, 
to the use of digital technology or wires that are more 
spread throughout the aircraft. On the other hand, a better 
understanding of interference mechanisms that allows the de- 
velopment of protection techniques may reduce the probabili- 
ty of faults. One technique that appears to offer signifi- 
cant protection is the use of shields grounded at both ends. 
Sometimes, this may be an additional overall shield, where 
single-ended shields are needed to protect it from other 
types of noise . 


For this study, lightning is an unique hazard with the 
potential to affect diverse parts of the communication sys- 
tem simultaneously in unpredictable ways. The methods 
available to bound these effects are limited and difficult 
to construct. For these reasons, the candidate communica- 
tion systems must be made essentially immune from the ef- 
fects of lightning phenomena. 

The immunity can be provided by either passive shielding 
or active Recovery techniques. The techniques which provide 
immunity may vary for different candidate systems. The 
costs for providing the immunity must be included in the 
cost trade-offs for each system, for example, the weight of 
any additional shielding. The lightning protection for the 
processing system that gives the basic supervisory control 
of the communication system is not part of this study. It 
is assumed, however, that the processing system is tolerant 
of lightning hazards and can implement any active recovery 
techniques in the communication system used by a particular 
design . 


Chapter 3 


BASELINE E2UIPMEHT REQUIREMENTS 


The preceding chapter discussed the functions to be per- 
formed by the avionics system that must be supported by the 
communication structures investigated in this study. Some 
baseline assumptions must now be established for the elec- 
tronic equipment necessary to perform these functions. This 
chapter identifies the basic hardware elements that: supply 

the required sensor information; provide the display and 
control interface with the crew; and interface with the ac- 
tuators that control the aerodynamic surfaces, engines, and 
other aircraft systems. A parameter list is established 
corresponding to each sensor or effector to estimate the 
amount of data that must be communicated, along with re- 
quirements for accuracy, data rates, time delay, and reli- 
ability. The equipment set and associated parameter list 
are not based on a detailed design of a complete avionics 
system. They are assumed, however, to be sufficiently rep- 
resentative to define a realistic baseline for the communi- 
cation system study. The next chapter identifies alterna- 
tive configurations which organize these hardware elements 
into a total system. 

The equipment and parameters discussed are primarily con- 
cerned with sensor systems and effectors. No attempt is 
made here to predict the communication load attributable to 
the computer systems themselves, or to estimate intra-com- 
puter system communications. These characteristics are too 
dependent on the particular system design to allow meaning- 
ful estimates. 

The equipment and parameters are listed in major group- 
ings roughly corresponding to the functional areas mentioned 
earlier. Table 1 depicts a typical parameter list. 

The information with each parameter includes: the quantity, 

the required digital resolution, the data rate, the response 
time or allowable transport delay, the assumed criticality 
of that set of parameters (not necessarily of each individu- 
al parameter in a redundant set), and the typical location 
of that signal in the aircraft. This information comes from 
a variety of sources. A primary source is the ARINC BITS 
Specification 429. 
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TABLE 1 


Flight Data Sensors 


Parameter 

Quantity 

Resolution (DITS) 

Samp. /sec 

Resp. Time 

Criticality 

Location 

Angular Rate 

9 

13 

50 

10 ms 

VH 

Avionic Bay (AB) 

Acceleration 

9 

12 

50 

10 ms 

VH 

AB 

Flutter Sensor 

6 

10 

100 

2 ms 

H 

Wing 

Static Pressure 

2 

16 

10 

50 ms 

II 

AB 

Total Pressure 

2 

14 

10 

50 ms 

H 

AB 

Total Temperature 

2 

10 

2 

1 s 

M 

Nose 

Angle-of-Attack 

2 

11 

50 • 

10 ms 

M 

Nose 

Magnetic Field Sensor 

2 

12 

50 

10 ms 

H 

Wing 


★ 

VH Total Failure Rate less than 10 

-7 

H Total Failure Rate less than 10 
M Total Failure Rate less than 10 ^ 
L No Safety of Flight Requirement 


AIRCRAFT FLIGHT DATA SENSORS 
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Table 1 includes; strapped down angular rate and acceler- 
ation sensors, flutter control sensors in the wing, air 
pressure and temperature sensors, angle-of-attack vanes, and 
flux gates. The total reliability requirement for inertial 
sensors is very high to support the active control of a ba- 
sically unstable aircraft. Sensor redundancy achieves this 
high reliability. The number of sensors required depends on 
the basic reliability of the sensors and the redundancy 
scheme. A compromise is made here of nine sensors, each 
representative of either simple triple redundancy of high 
reliability sensors or a more sophisticated skewed arrange- 
ment of less reliable sensors. The reliability requirement 
for the other sensors is not as high because some alternate 
data or emergency procedures avoid a catastrophe in most 
cases . 


t 
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3 . 2 FLIGHT CONTROL ACTUATORS 

The parameter list for the flight control actuators is 
given in Table 3. There are two groups; one for the command 
signals going to the actuators, and the other for the sur- 
face position sensors bringing information back into the 
system. The parameters listed are the interface between the 
flight control processing system and the servo electronics. 
Several other signals are necessary between the servo elec- 
tronics and the hydraulic actuator, including; position 
feedbacks, rate feedbacks, differential pressure sensors, 
engage discretes, etc. These signals are transferred by 
dedicated wires and do not involve the primary communication 
system. The location of the servo electronics, then, is 
crucial in establishing the requirements for the communica- 
tion system. 
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TABLE 2 


Independent Flight Data Computers 


Parameter 

Quantity 

Parameters 

Resolution (BITS) 

Samp. /sec 

Resp. Time 

Criticality 

Location 

Independent Flight Data 
Computers 








Inertial Reference System 

3 

14 

(30 INC Navigation) 

18 (max) 

50 (max) 

20 ms 

VH 

AB 

Air Data System 

2 

13 

18 (max) 

16 (max) 

50 ms 

H 

AB 


TABLE 3 


Flight Control Actuator Signals 


Parameter 

Quantity 

Resolution 

(BITS) 

Samp/Sec 

Resp. Time 

Criticality 

Location 

Flight Control Actuator Commands 







wing Dynamic Control Surfaces 
(Roll, DLC, MLC, GLA, EMS) 

10 

12 

50 

10 ms 

VH 

Wing 

Wing Flutter Suppression 

6 

12 

100 

2 ms 

H 

Wing 

Wing Configuration Control 
(Flaps, Slats, Variable Chamber 
Spoilers) 

20 

1 

10 

100 ms 

M 

Wing 

Tail Dynamic Control Surfaces 

11 

12 

50 

10 ms 

vn 

Tail 

Landing Gear Operation 

6 

1 

1 

100 ms 

li 

2 Nose Gear 
4 Main Gear 

Steering 

1 

10 

10 

50 ms 

L 

Nose Gear 

Brakes 

5 

8 

10 

50 ms 

H 

1 Nose Gear 
4 Main Gear 

Control Surface Position Sensors 







Wing Dynamic Surfaces 

8 

12 

50 

10 ms 

H 

Wing 

Wing Flutter Suppression 

6 

12 

100 

2 ms 

H 

Wing 

Wing Configuration Analog 

4 

10 

10 

100 ms 

M 

Wing 

Wing Configuration Discrete 

20 

1 

10 

10 ms 

M 

Wing 

Tail Surfaces 

6 

12 

50 

10 ms 

II 

Tall 

Landing Gear Analog 

1 

10 

10 

50 ms 

L 

Landing Gears 

Landing Gear Discrete 

20 

1 

10 

50 ms 

M 

Landing Gears 


Servo electronics are currently included uithin the 
flight control system in the avionics bay. In the future, 
the electronics will most likely be included uith the actua- 
tors. This uill be the case by the end of the target time 
period, and may also be true at the beginning of the time 
period for some of the actuators. This shift will not sig- 
nificantly change the load on the communications but will 
affect its physical geometry. The distinction will be made 
when summarizing the total requirements. 

The flutter control will probably be performed with a 
dedicated control loop, either locally or centrally. How- 
ever, the data requirements are retained within the communi- 
cation system to hold the option open. 


3. 3 NAVIGATION SENSORS 

The navigation sensors are given in Table 4. Most of 
these data requirements are moderate and well defined. It 
is likely that the Global Positioning System (GPS) will be 
implemented at least by the end of the time period. The GPS 
function is assumed to be partially integrated. The basic 
control of the receivers will be retained in the GPS unit 
itself. The navigation equations, however, will be solved 
in the central computers where other navigation data will be 
combined to provide both mutual calibration and error detec- 
tion functions. The highest data rate requirement will be 
line of sight velocity data from inertial sources that is 
fed back to the receiver units to improve the signal track- 
ing loops. 

Weather radar is included as a navigation sensor. An 
ARINC standard has been established for the weather radar 
data output from the transmitter-receiver unit. This data 
is at a very high rate so dedicated lines are assumed that 
are not included in the primary communication system. 


3 . 4 COMMUNICATIONS EQUIPMENT 

The parameters involved with radio communications are 
given in Table 5. The normal radio equipment will place a 
small load on the data communication system. The only sig- 
nificant function will be the transfer of tuning and control 
messages to the transceivers. 

The load on the data communication system will be prima- 
rily due to the data link functions of the radio communica- 
tions system. The aircraft has full capability for both ATC 
DABS data link and company ARINC data link throughout the 
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TABLE M 


Navigation Sensors 


Parameter 

Quantity 

Resolution 

(BITS) 

Samp/Sec 

Resp. Time 

Criticality 

Location 

VOR Angle 

2 

12 

16 

20 ms 

M 

AB 

DME Dist 

2 

16 

16 

20 ms 

M 

AB 

ADF Bearing 

2 

12 

16 

20 ms 

M 

AB 

ILS Localizer 

2 

13 

16 

20 ms 

H 

AB 

ILS Glide Slope 

2 

13 

16 

10 ms 

H 

AB 

Marker Beacon 

6 

1 

1 

100 ms 

M 

AB 

Radio Altitude 

2 

17 

20 

10 ms 

H 

AB 

MLS Azimuth 

2 

13 

10 

10 ms 

H 

AB 

MLS Evaluation 1 

2 

13 

10 

10 ms 

H 

AB 

MLS Evaluation 2 

2 

13 

10 

10 ms 

H 

AB 

MLS Range 

2 

13 

10 

10 ms 

H 

AB 

MLS Data 

2 

90 

0.1 

1 sec 

M 

AB 

GPS Receiver 

8 

32 

0.5 

10 ms 

M 

AB 

GPS Data 

1 

1500 

.008(2/min) 

N/A 

M 

AB 

GPS Line of Sight Vel In 

4 

16 

50 

10 ms 

M 

AB 

Weather Radar Attitude 
Stab 

2 

14 

50 

10 ms 

M 

Nose 

Weather Radar Data 

2 

1600 

512 

N/A 

M 

AB 

Navigation Frequency and 
Mode Control 

10 

21 

5 

100 ms 

H 

AlB 


TABLE 5 


Radio Communications Equipment 




Resolution 





Parameter 

Quantity 

(BITS) 

Samp. /Sec 

Resp. Time 

Criticality 

Location 

Comm Receiver Frequency 
and Mode Control 

5 

21 

5 

100 ms 

H 

AB 

Transponder Control 

2 

18 

5 

100 ms 

H 

AB 

DABS Data Link 

4 

88 

1600 

* 

100 ys 

U 

AB 




16 

250 ms** 



ARINC Data Link 

1 

220 

.5 

1 sec 

L 

AB 

Passenger Service Terminal 

1 

220 

.5 

10 sec 

L 

Cabin 


* 

Non Buffered 

* * 


Buffered 


target time period. A dedicated buffer is used uith the 
DABS data link so that the data communications system can be 
relieved from tight timing requirements. 


3 . 5 COCKPIT EQUIPHEKT 

The tasks performed in the cockpit are involved in almost 
all aircraft functions. These tasks are divided into five 
areasJ the primary flight controls (wheel, pedals, etc.), 
the primary flight displays, the aircraft operational con- 
trol and display (flight path commands, autopilot mode se- 
lection and display, system status, etc.), aircraft systems 
control and display, and terminals for communicating uith 
the avionics system. The estimated parameter list is given 
in Table 6 . 

During the target time period, the mechanical linkage 
will presumably be removed. The primary flight control thus 
becomes flight crucial. This task will place the highest 
reliability requirement on the communication system from the 
cockpit . 

The primary flight displays and the great majority of 
aircraft system displays will be multifunctional, using CRTs 
or some newer technology. These displays will normally be 
generated in electronic units mounted in the primary elec- 
tronics bays. The communication between the display genera- 
tors and display indicators are very high frequency video 
signals which remain dedicated and do not affect the commu- 
nication systems. The basic data input into the display 
generators will be included in the communication require- 
ments. The other cockpit data requirements are more moder- 
ate and are at the levels listed in Table 6. 


3.6 ENGINE AND AIRCRAFT SYSTEM MONITORING , CONTROL , AND 
SUPPORT 

The communications necessary to support the monitoring, 
control, display, and maintenance aides for the engines and 
all of the assorted aircraft systems, are primarily distin- 
guished by the large number of different signals scattered 
throughout the aircraft. Table 7 gives a rough estimate of 
parameters that can be presently identified for each of the 
major systems. Most likely, several more signals will be 
added, particularly for maintenance support purposes. To 
account for these additional parameters, the total load on 
the communication system doubles that shown in Table 7. 


30 


TABLE 6 


Cockpit Controls and Displays 


Parameter 

Quantity 

Resolution 

(BITS) 

Samp. /Sec 

Resp. Time 

Criticality 

Location 

Cockpit Primary Controls 
Control Wheel 

6 

12 

50 

10 ms 

VH 

Cockpit (CP) 

Pedals (Rudder & Brakes) 

6 

12 

50 

10 ms 

VH 

CP 

Trim 

9 

1 

10 

50 ms 

11 

CP 

Flaps 

3 

8 

10 

50 ms 

If 

CP 

Speed Brakes 

3 

1 

10 

50 ms 

H 

CP 

Nose Wheel Steering 

3 

8 

10 

50 ms 

M 

CP 

Primary Flight Displays 
Display Indicators 

4 

I 

ledicated (' 

10 MHz) 


CP 

Flight Display Generator 

2 

576 

50 

10 ms 

H 

AB 

Systems Display Generator 

2 

528 

10 

50 ms 

H 

AB 

Flight Operational Control 
and Display 

1 

288 

10 

50 ms 

H 

CP 

Systems Control and Display 

1 

50 

10 

50 ms 

H 

CP 

Avionics System Terminal 

2 

80 

10 

50 ms 

M 

CP 

Cockpit Printer 

1 

640 

1 

N/A 

M 

CP 


TABLE 7 


Engines and Aircraft Systems . 


Parameter 

Quantity 

Resolution 

(BITS) 

Samp ./Sec 

Resp. Time 

Criticality 

Location 

Aircraft Engine 

4 

96 

10 

50 ms 

M 

Wings 

Hydraulic 

1 

96 

1 

100 ms 

M 

Mid Fuselage (MF) 

Fuel 

1 

156 

1 

100 ms 

M 

MF 

Electrical 

1 

168 

1 

100 ms 

M 

MF 

Pressure/Oxygen 

1 

180 

1 

100 ms 

M 

MF 

APU 

1 

102 

10 

100 ms 

M 

Tail 

Airconditioning 

1 

180 

1 

100 ms 

M 

MF 

Bleed Air/Antl-Ice 

1 

24 

1 

100 ms 

M 

Wings 

Flight Data Recorder 

1 

768 

1 

N/A 

M 

Tail 
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MISCELLANEOUS EQUIPMENT 


Listed in Table 8 are two other pieces of equipment most 
likely used in support of several functions: One is a 

flight data storage unit which stores data for use in flight 
management and navigation, and can also store flight manual 
and maintenance manual type data for display in the cockpit. 
Provision must be made to update this data periodically, 
with some operational data to be updated every flight. Nav- 
igation reference data must be updated at established times, 
such as every 60 days. The update may actually replace the 
memory medium, e.g., tape or by data link. 


The other device listed is an audio generator, 
vice would be commanded by the system to generate 
into the audio system for the warning functions, 
be used for some of the ATC and company data link 


This de- 
the inputs 
as well as 
messages . 


3.8 SUMMARY OF DATA REQUIREMENTS 


The data requirements for the 
are summarized in Table 9. Almo 
mitted as 16 bit words, and disc 
words. The flight data storage 
ed because this transfer should 
time, probably on the ground, 
while weather radar data is not 
rates . 


various types of equipment 
st all parameters are trans- 
retes are packed into 16 bit 
system rates are not includ- 
occur during a non-critical 
Flutter control is included, 
because of the high data 


Table 10 gives the data requirements by approximate 
tion in the aircraft, assuming both that the servo ele 
ics are in the avionics bay and alternatively located 
the servos. The numbers in parentheses are for a sy 
with flutter control parameters removed. 


loca- 
c tr on- 
wi th 
stem 
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TABLE 8 

Miscellaneous Equipment 


1 

CO 

Parameter 

Quantity 

Resolution 

(BITS) 

Samp. /Sec 

Resp. Time 

Criticality 

Location 

-p 








1 

Flight Data Storage Unit 

1 

8000 

1 

N/A 

M 

AB 


Audio Generator 








(Tone and Voice Synthesis 

2 

80 

1 

100 ms 

H 

AB 


TABLE 


9 


Summary of Communication 

Requirement 


Equipment Class 

Words/sec 



Flight Data Sensors 

1744 

Flight Control Actuators 

3500 

Navigation 

641 

Communi c at ions 

130 

Cockpit 

3191 

Aircraft Systems 

446 

Miscellaneous 

10 

9662 

Bits/sec 

155K 
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Communication Requirements by Area 


Location 

Central 

Servo Electronics 

Dispersed 
Servo Electronics 

Avionic Equipment Bays 

131.5k(98.5k) 

60k 

Nose & Nose Geax 

2k 

3.5k 

Wing 

Ik 

57,5k(24.5k) 

Tail 

2k 

15.5k 

Cockpit 

17k 

17k 

Fuselage/Cabin/Main Gear 

1.5k 

1.5k 


Chapter 4 


ALTERNATE SYSTEM CONFIGURATIONS 


This chapter discusses configurations of total systems 
that might be used to organize the basic hardware elements 
described in the preceding chapter. First, several factors 
are discussed that will influence the system design. Next, 
a broad range of potential system configurations is created. 
This range is then narrowed down to three alternative system 
designs that are representative of the configurations ex- 
pected to develop through the target time period. 


4 . 1 SYSTEM DESIGN CHARACTERISTICS INFLUENCING THE 
COMMUNICATION SYSTEM 

Some characteristics of the potential avionics system 
configurations are discussed that influence the communica- 
tion system. These include: the degree of functional inte- 
gration, the physical location of the equipment, and the 
configuration of the central fault-tolerant computer system. 


4.1.1 Extent of Functional Integration 

One design characteristic which will have significant in- 
fluence on communications is the degree to which individual 
functions are kept separate or integrated into the system. 
The degree of integration can influence the load on the com- 
munication system in either direction, as illustrated in the 
following examples : 

The first example, the flutter control function, illus- 
trates how greater integration can increase the amount of 
data handled. The flutter control function, previously de- 
scribed, requires a very high data rate. If the control 
function is integrated into a central processor, high sensor 
and command signal data rates must be handled by the primary 
communication system. If this control loop is closed lo- 

cally, there is essentially no load on the communication 
system due to this function. The second example, the air 
data function, is one in which a greater degree of integra- 
tion reduces the amount of data communicated. In current 
systems, a Digital Air Data System (DADS) processes measure- 
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ments from the total and static pressure sensors, a total 
temperature probe, and angle of attack sensors, to produce a 
set of parameters that can be derived from these measure- 
ments. The DADS produces as many as 16 output parameters, 
including^ barometric corrected and uncorrected altitude, 
altitude rate, computed airspeed, Mach number, true air- 
speed, etc. In a system where other functions using air 
data are also not integrated, these parameters must be dis- 
tributed to many different locations. In the current sys- 
tem, the DADS output may go to as many as 19 other systems, 
such as: redundant flight control, flight augmentation, 

flight management, and warning computers, as well as the 
flight instruments, transponder, and cabin pressure control- 
ler. In a more integrated system, only the basic sensor 
measurements are communicated. Also, assuming most other 
user functions are integrated, this data does not have to be 
distributed to many different places. 


4.1.2 Physical Location 

Another system characteristic which will have an impor- 
tant influence on the communication system is the physical 
location of the electronics, or the degree the hardware is 
centralized or dispersed. Factors that influence the physi- 
cal location of electronics are: 

1 . Environment 


2 . Maintainability 

3 . Wiring costs 

4. Damage tolerance 


Environment and m 
the equipment be 
environmental con 
age tolerance con 
dispersed and pla 
The balance betwe 
by the pace of te 
vices become avai 
severe environmen 
per sed systems . 


aintenance consider ations wi 
concentrated in central loca 
trol and easy access. Wire 
siderations will require th 
ced closer to the equipment 
en these conflicting trends 
chnological development. As 
lable to provide very high 
ts , the balance will shift 


11 require that 
tions with good 
length and dam- 
at equipment be 
being serviced, 
is determined 
electronic de- 
reliability in 
to more dis- 


For the next generation of aircraft to 
at the beginning of the target time period, 
tant factor is the environment, followed c 
nance. Aircraft operators, especially airl 
prove the failure rate of electronics an 
maintenance costs. One of the major cause 


start development 
the most impor- 
losely by mainte- 
ines, want to im- 
d thus reduce 
s of failures is 
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environmental stress, particularly temperature. Hew 
installation concepts are being developed particularly by 
the AEEC for the airline industry. The first phase of the 
work of the New Installations Concepts (NIC) Subcommittee of 
AEEC has resulted in ARINC Char ac teris tic 600®, which will 
be used for the generation of aircraft currently being de- 
veloped, including the Boeing 767 and 757. The new ARINC 
characteristics allow electronic modules to be smaller, and 
to be more protected from the environment. Of particular 
interest is self-contained cooling, which operates when the 
aircraft is on the ground and the primary aircraft environ- 
mental control system is not operating. Following phases of 
the NIC activity have already been identified which further 
improve the environment for electronics. This trend will 
encourage the electronics to become more concentrated as 
long as suitable precautions can be taken to avoid common 
mode failures due, for example, to physical damage or fire. 
If this trend prevails, a majority of the electronics in an 
aircraft may be relatively close to each other in a substan- 
tially protected and controlled environment. The nature of 
the communication system that is most effective in this 
situation may significantly vary from one which supports 
equipment distributed throughout the aircraft in an arbi- 
trarily poor environment. 


In the 
draw the 
most like 
can be e 
tained . 
may now b 
ment can 


near term, the dominant 
equipment together. Elec 
ly to be in centrally loc 
nvironmen tally controlled 
Some equipment previously 
e brought into central loc 
be more easily controlled. 


factors will most likely 
tronic equipment is thus 
ated equipment bays that 
and conveniently main- 
dispersed in the aircraft 
ations where the environ- 


A c 
elec tr 
moti va 
comple 
cause 
availa 
var iou 
tronic 

their equipment, 
give significant 
tiveness of many 
of completely ne 
processors are e 
electronics prov 
tion and output 
use new types of 

Another example is high tec 
become too complex to be contr 
trollers alone. Production mil 


advantages of embedding 
ystems. This trend is 
ystems are getting more 
control, but also be- 
technology is making 
t. Manufacturers of 
obably use embedded elec- 
and/or reduce the cost of 
electronic technology can 
to greatly improve the effec- 
ces, and make possible the use 
For example, simple digital 
pressure transducers. The 
such as temperature compensa- 
zation, to make it possible to 
te sensing devices. 

hnology engines, which have 
oiled by hydromechanical con- 
itary engines and the engines 


ompeting trend arises from the 
onics within many aircraft subs 
ted not only because these subs 
X, and thus more difficult to 
the development of electronic 
ble high capability at low cos 
s pieces of equipment will pr 
s to improve the performance 
The explosion in 
opportunities 
existing devi 
w techniques . 
mbedded inside 
ide functions, 
signal linear! 
highly accura 
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now being developed for commercial aircraft already have 
integrally mounted electronic controllers. 

Another situation which may have even greater impact on 
the communication structure is flight control surface actua- 
tors. At least one manufacturer is interested in including 
the servo control electronics integrally with the servo. 
The moving of the servo electronics from the electronics bay 
to the actuators will probably be most influential in chang- 
ing the nature of the communication system from one primari- 
ly concentrated in avionics bays to one distributed through- 
out the airplane. 

The communication technology itself can influence the 
spread of electronics. If fiber optic links can solve prob- 
lems such as lightning interference, active electronics will 
most probably be employed on the remote end of these links 
to convert the signals to a usable form. Once active elec- 
tronics are established at remote locations, they can sup- 
port both the local equipment and the communication system. 

For many devices, electronic technology cannot provide 
the necessary reliablilty in the severe environments associ- 
ated with the devices. However, as more advanced technology 
becomes available, electronics are likely to be dispersed 
throughout the aircraft, independent of any explicit deci- 
sion by those responsible for the design of the total sys- 
tem. When this occurs, a more effective total system design 
can be produced by recognizing the existence of this dis- 
persed electronic capability and by including it in the de- 
sign concepts. For example, this dispersed electronics can 
support a more global communication structure. An assumption 
made here is that a majority of the electronics will be in 
centralized electronic bays at the beginning of the target 
time period, but that a greater percentage will be distrib- 
uted in the aircraft by the end of the time period. 


4 . 1 . 2 . 1 

Physical Location 

Alternati V 

These 

trends can now be 

used to 

ide 

ical loc 

ations that might 

be used 

dur 


period. A trade-off analysis is per 
the relative characteristics of these 
formation is used to narrow the alter 
three that become the basis for the 
used in the remainder of this study, 
one end of the range will have almost 
location. This choice of location re 
from current practice. How, a majori 
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in other locations ^ however, such as in the wing root area, 
tail, and various other locations. This more concentrated 
configuration could result from equipment being drawn into a 
common location to take advantage of special environmental 
control equipment that may be incorporated in future air- 
craft. Nonetheless, this configuration is included in this 
study to provide a baseline and a logical extreme for the 
requirements of the communication structure. 

Electronics may be dispersed from this one location op- 
tion for at least two reasons 2 One reason is to put the 

electronics closer to the equipment being serviced. This 
move could subs tantially reduce wiring and installation 
costs and possibly improve performance. The other reason is 
to reduce the probability that a common event, such as dam- 
age, could cause complete failure of a critical function. 


The next location alternative defined for this study is 
to separate the single location into two or three compart- 
ments in generally the same area of the aircraft. These 
compartments will be sufficiently separated or protected so 
that the probability of a single survivable event damaging 
equipment in more than one location will be extremely small. 
These locations may or may not be related to the logical or- 
ganization. For example, a dual-dual system may be put in 

two locations, and a triplex system in three, or a triplex 

system can be placed in two locations as long as probable 

damage at one location will not cause loss of a critical 

function. If a correspondence exists between the logical 
and physical organization, the redundancy within a compart- 
ment may be relaxed for items like power supplies or commu- 
nication buses. 


The next extension in location alternatives is 
the electronics closer to the equipment being serv 
primary driver in this process is the flight cont 
electronics which may require as many as 13 wires 
channel. Flight critical fly-by-wire and active 
functions require significantly larger numbers of 
channels than at present both for redundancy and 
aerodynamic surfaces. These actuators are almost 
ed in the wings or tail. By creating electronics 
the wing root area and aft fuselage, considerable 
be saved. Within these three general areas, nos 
root, and tail, the electronics can be located to 
again separated into two or three compartments at 
eral location. 


to move 
iced. The 
rol servo 
for each 
control 
actuator 
additional 
all locat- 
areas in 
wire can 
e, wing 
gather or 
each gen- 


Until now, there has been no significant dis 
from environmental or maintenance considerations, 
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be duplicated and maintenance personnel may have to visit 
more than one area to make repairs. 

The next step in dispersing electronics involves moving 
outside the environmentally controlled fuselage, thus con- 
siderably increasing the environmental and maintenance dis- 
advantages. The final two options for this study create ad- 
ditional areas for electronics both outside the fuselage in 
the wings and tail and embedded in the using equipment. 


The embedded alternative is most easily define 
the electronics are included in the equipment b 
viced. Much of the electronic equipment, such 
computers, navigation sensors, and communication 
will be located in central equipment compartment 
tronics associated with other aircraft equipment 
actuators, engines, and environmental control sys 
be embedded directly in the equipment being servi 
embedded electronics will be recognized in the t 
design and must be serviced by the communication 


d. Here, 
eing ser- 
as central 
equipment , 
s . Elec- 
, such as 
terns, will 
ced . This 
otal system 
structure . 


Finally, a physical lo 
compromise between the em 
with all the equipment in 
called a multilocation sys 
move the electronics as cl 
being serviced, it may no 
space, or maintenance rea 
the equipment. The multilo 
remote electronics areas 
trailing edge, engine pylo 
is less severe than it mi 
and where maintenance acce 
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The range of possible locations studied 
Table 1 1 . The following section compares 
and narrows down to three the number to be 
sequent analysis of communication structure 


is summarized in 
these locations 
used in the sub- 
s . 


4 . 1 . 2 . 2 


Comparison of Physical Locations 


A comparison of these physical location options is made 
in four areas*- wire lengths, damage tolerance, environmental 
penalties, and maintainability. Rough quantitative compari- 
sons are made of the wiring differences, while the other 
comparisons are qualitative. 


To estimate relative wire lengths, assumptions are 
about the number of wires involved in servicing the v 
pieces of aircraft equipment. These assumptions are 
in Table 12. The presumed size of the aircraft and 
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TABLE 11 


• Location Options Considered 


1 . 
2 . 

3. 

4. 

5. 
6 . 

7 . 

8 . 


One location: One compartment 

Two compartments 
Three compartments 

Three locations: One compartment each 

Two compartments each 
Three compartments each 

Multilocation 

Embedded 


equipment locations are shown in Figure 3. The calculation 
of estimated wire length is given in Table 13. The three 
alternative conf igur ations in the same general location will 
have essentially the same wire lengths. For all configura- 
tions, except the ones in one location, the wire saved will 
be offset to some extent by the wire necessary to intercon- 
nect the equipment locations. This amount of wire depends 
on the communication technique used. The amount of wire in- 
volved is relatively small compared to the wires necessary 
to service the equipment and will thus not significantly ef- 
fect the results. A representative amount is used here. 

These results show that the biggest change in the amount 
of wire occurs when going from the one location systems to 
the three location system. The percentage reductions for 

the multilocation and embedded systems are less but still 
significant. 

Damage tolerance is a concern for a system contained in a 
single compartment in a single location. The results of the 
damage probability study discussed in Chapter 2 show that 
the probability of damage to a single location can be as 
high as 10"® per hour. This probability can be reduced to 
acceptable levels with some separation or protection between 
compartments so one event is unlikely to damage all redun- 
dant equipment needed to perform any critical function. 
Care must also be exercised in systems where equipment is 
placed in three different locations in the aircraft to as- 
sure that no particular function is vulnerable to damage. 
For example, to put all of the pitch control electronics in 
a single compartment in the tail of the aircraft would be 
unwise. The damage study indicates that the tail area is 
more likely to be damaged than an area near the nose. The 
pitch control function will be protected by placing redun- 
dant pitch control electronics either in another location in 
the aircraft or by separate compartments in the tail. When 
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Figure 3= Assumed Mire Run Distances 
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TABLE 12 


Assumptions for Wire Length Comparisons 


EACH ACTUATOR CHANNEL: 

COMMAND 2 

ENGAGE 3 

RATE FEEDBACK 4 

POSITION FEEDBACK 4 

(PER ARINC 701) ^ 13 

MID E2UIPMENT AREA : 

HYDRAULICS 42 

FUEL 43 

MAIN GEAR 50 

ELECTRICAL POWER 50 

PRESSURIZATION 16 

AIR CONDITIONING 33 

234 

WING : 

ENGINE (EACH 75) 150 

BLEED/ANTI-ICE 19 

169 

AFT COMPARTMENT: 

ENGINE • 75 

PRESSURIZATION 16 

AIR CONDITIONING 14 

105 


minimal precautions are made to increase damage tolerance, 
damage will not be a significant factor in determining loca- 
tion . 

Environment and maintenance are discussed only qualita- 
tively. Neither environment nor maintenance is significant- 
ly affected as long as the equipment remains in the pressur- 
ized fuselage. Only small penalties exist in going from 
systems located in generally one area to ones located in 
three areas. Some environmental control equipment may have 
to be duplicated and maintenance procedures may be slightly 
less efficient. These two factors become significantly more 
important when any equipment is located outside the pressur- 
ized fuselage. A multilocation system allows some consider- 
ation for avoiding the worst environments and provides loca- 
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TABLE 13 


Wire Length Comparison 


ONE LOCATION SYSTEM: 


WING ACTUATORS 24 

ACT 

X 1 3 

WIRES 

X 

50 M = 

15 

,600 

TAIL ACTUATORS 18 

ACT 

X 1 3 

WIRES 

X 

7 0 M = 

16 

, 380 



234 

WIRES 

X 

30 M = 

7 

,020 



169 

WIRES 

X 

50 M = 

8 

, 450 



105 

WIRES 

X 

70 M = 

7 

, 350 
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, 800 

THREE LOCATION SYSTEM: 








WING ACTUATORS 24 

ACT 

X 1 3 

WIRES 

X 

20 M = 

6 

,240 

TAIL ACTUATORS 18 

ACT 

X 1 3 

WIRES 

X 

10 M = 

2 

, 340 

MID EQUIPMENT 


234 

WIRES 

X 

3 M = 


702 

WING EQUIPMENT 


169 

WIRES 

X 

2 0 M = 

3 

, 380 

AFT EQUIPMENT 


105 

WIRES 

X 

5 M = 


525 

BAY INTERCONNECT 4 

BUSES X 

6 MIRES X 

30 M 

= 

720 

4 

BUSES X 

6 MIRES X 

70 M 

= 1 

, 680 







15 

, 587 


SAVINGS 

39,213 

M 

OR 72% 


MULTI LOCATION SYSTEM: 








WING ACTUATORS 

24 

X 13 

WIRES 

X 

*6 M = 

1 , 

872 

TAIL ACTUATORS 

24 

X 1 3 

WIRES 

X 

6 M = 


702 

MID EQUIPMENT 


234 

WIRES 

X 

2 M = 


468 

WING EQUIPMENT 


169 

WIRES 

X 

3 M = 


507 

AFT EQUIPMENT 
LOCATION 


105 

WIRES 

X 

3 M = 


315 

INTERCONNECT 4 

BUSES X 

6 MIRES 

X 60 = 

1 , 

440 

4 

BUSES X 

6 MIRES 

X 80 = 

1 , 

920 







7, 

044 


SAVING 47,756 

OR 

87% 



EMBEDDED SYSTEM: 








TERMINAL INTERCONNECT 








ASSUME NETWORK 

6 

BUSES 

DEEP 

THROUGH FUSELAGE 


3 

BUSES 

DEEP 

OUT 

EACH 

WING 


6 

BUSES 

X 6 MIRES X 80 

M 

= 2, 

2 X 

3 

BUSES 

X 6 MIRES X 30 

M 

= 1 , 


3,960 


SAVING 50,840 M OR 93% 


(ASSUME 1 TWISTED SHIELDED PAIR = 3 WIRES) 
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tipns uith reasonable access for maintenance. However, it 
will not likely be cost effective to provide any special 
equipment to control the environment at multiple locations. 
The embedded electronics is completely at the mercy of the 
equipment in which it is located. The environment may be 
considerably worse and maintenance may be complicated if the 
electronics cannot be removed without removing the equipment 
in which it is embedded. 

A summary of the results of the comparison of physical 
locations is given in Table 14. The environmental and main- 
tenance factors are weighted from 0 to 10 where 10 is taken 
as ideal and numbers less than 10 correspond roughly to the 
relative standings of the locations with respect to the 
ideal. 


TABLE 14 

Summary of Physical Location Comparisons 



ONE 

THREE 

MULTI 

EMBEDDED 


LOCATION 

LOCATION 

LOCATION 

LOCATION 

DAMAGE 

o 

1 

CO 

10“ VIO’ ^ ^ 

<10“ ^ 

<<10“ ^ ^ 

TOLERANCE 





WIRE LENGTH/ 

0 

7 2% 

87% 

9 3% 

COST SAVINGS 





ENVIRONMENTAL 

9 

9 

3 

1 

CONDITIONS 





MAINTAINABILITY 

9 

8 

5 

0 


The systems placed in three locations in the aircraft can 
obtain a majority of the potential savings in wire length 
without significant disadvantages in environment or mainte- 
nance. A multilocation system can save an additional 15% in 
wire. This additional wire savings may not compensate, how- 
ever, for the disadvantages in environment and maintenance. 
The embedded system can save an additonal 21% in wire but 
has greater disadvantages in other categories. An embedded 
system will not be chosen on the basis of wire savings 
alone. As technology develops toward the end of the target 
time period to provide components with a high reliability in 
a severe environment, electronics are likely to be embedded 
to increase the ef f ec tiveness of the remote equipment it- 
self, as previously discussed. 
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The location alternatives can nou be reduced to a repre- 
sentative set for the communication study. As far as the 
communication requirements are concerned, little distinction 
exists among configuration alternatives where the equipment 
is found in one or more compartments in the same general lo- 
cation. When communication structures are studied to the 
level of detail where this distinction is important, appro- 
priate extensions can be made to account for the separate 
compartments. The communication structures can be adequate- 
ly studied using the smaller subset of configurations ob- 
tained by merging the options where equipment is located in 
essentially the same places. 


it 

as 

doe 

app 

des 


The multilocation system has also been eliminated since 
is not significantly different from the embedded system 
far as communication requirements are concerned, and thus 
s not signif icantly contribute to the study. Nor does it 
ear to offer sufficient advantages to the total system 
ign for extensive use in future systems. 


The three basic system configurations chosen for this 
study are thus: a one location system, a three location sys- 
tem, and an embedded system. The one location system pro- 
vides a logical extreme in the range and forms a good base- 
line most representative of current systems. The three 

location system is chosen as the one that appears most effi- 
cient for near term systems. The embedded system provides 
the other logical extreme and may be used at the end of the 
target time period. 


4.1.3 Computer Conficruration 

The central f aul t-toler ant computer system could also 
have a significant impact on the communication structure. 
Traditionally, computers have been large, relatively expen- 
sive, and placed in some central location. However, with 
the explosion of microprocessor technology and the need for 
multiple interconnected computers, the central computer com- 
plex will most likely be dispersed in the aircraft. For ex- 
ample, in the three location system, a part of the computer 
could be in each location. 

A dispersed central computer could have an obvious impact 
on the nature of the communication structure. Depending on 
the particular design of the computer system, external 
equipment may be connected to the computer at each location. 
The various parts of the computer system will be intercon- 
nected by its own data transfer technique. In these cases, 
the central computer will create a common data base. The lo- 
cation-to-location communication thus implicitly occurs 
within the computer system. The need for a communication 
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structure to handle a large amount 
distances in the aircraft is reduced, 
sign for the communication structure 
ferent from one responsible for communicating data through- 
out the aircraft to and from one central location. 


of data over long 
Thus, the optimum de- 
will probably be dif- 


Even though a dispersed fault tolerant computer may be 
attractive for some future systems, it is not considered in 
this study for the following reasons. First of all, exist- 
ing fault-tolerant computer designs are not dispersed, 
largely because it is difficult to do so without enlarging 
the system's cross section to damage. Second, the internal 
communications among the elements of a fault-tolerant com- 
puter are an integral part of the design of the computer and 
are beyond the scope of this study. The effective design of 
a system of this type requires the integration of the design 
of a particular f ault-toler ant computer with the design of 
the communication with the external equipment. Since this 
study is not concerned with the design of f ault-toler ant 
computers themselves, it is assumed that the central comput- 
er is in one location and the communication system under 
study must transfer all data from the various locations in 
the aircraft to this one location. Also, a reasonable 
amount of care in the design and some protection will reduce 
the probability that a damage event will cause total failure 
of the computer system. 

The assumption that the computer is in one location also 
places the highest requirements on the communication system. 
The results from this study apply to most systems with a 
distributed central computer if proper adjustments are made. 
Each of the three alternative system configurations will now 
be discussed in greater detail to create the environment for 
the study of communication structures. 


4.2 


ONE LOCATION SYSTEM 


An overall diagram of the one location system is shown in 
Figure 4. A majority of the electronic equipment is found 
in one or more compartments at this one location which is in 
some convenient place, usually under the cockpit near the 
nose gear and forward of the cargo compartments , 


The electroni 
housed in envir 
units contain^ 
tronics necessar 
from the system, 
system, such as 
equipment. To c 
nication structu 


cs are packaged in standardized units and 
onmentally controlled enclosures. These 
the fault-tolerant computer, all the elec- 
y to provide sensor inputs, effector outputs 
and the equipment necessary to support the 
power supplies and environmental control 
reate a realistic environment for the commu- 
re, some electronics must be outside this 
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primary location. Of course, electronics uill be in the 
cockpit to support the pilot controls and diplays. Elec- 
tronic controls are already on the engines and uill certain- 
ly continue to be in future aircraft. A significant number 
of input signals in the uing root and tail areas of the air- 
craft require remote data acquisition equipment, and this 
system description uill thus include these remote electron- 
ics . 

The follouing paragraphs describe a set of equipment de- 
signed to meet the system requirements by providing the or- 
ganization of the sensors and effectors described in Chapter 
3. The physical packaging of the equipment is first de- 
scribed briefly. Next, the units involved in the most 
flight critical functions are described. The remaining mod- 
ules are then briefly identified. The function and communi- 
cation requirements of the remote electronic units are de- 
scribed, and finally, a list is compiled of all equipment, 
along uith the communication requirements for each unit. 


4.2.1 Mechanical Packaging 

The equipment in the primary avionics location should 
conform to a later phase of the MIC packaging nou introduced 
in the commercial avionics industry. The form factors and 
connectors should remain the same as described in ARIHC 
Characteristic 600. The only significant change expected is 
a more closely controlled environment. 

The ARINC Characteristic 600 provides for the electronic 
modules to have a common height and depth uith incremental 
uidths. The sizes of the units, called Modular Concept 
Units (MCU), are listed in Table 15. A typical installation 
is shoun in Figure 5. Three types of lou insertion force 
connectors are available. The smallest uill handle 120 sig- 
nal pins and several pouer and special purpose pins. 

The largest uill handle 600 signal pins and more special 
purpose connections. The connectors permit uire urap tech- 
niques to be used to provide interconnection betueen units 
and uith other connectors for the cables that interface uith 
the rest of the aircraft. In some installations, the inter- 
connect backboard may be removable from the aircraft to re- 
duce the initial costs of aircraft uiring and to greatly 
simplify modifications. The modules comprising the system 
for this study uill probably require five to six shelves, 
approximately four feet long. 
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Figure 5: Avionic Rack Installation 
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TABLE 15 



Modular Concept Unit (MCU) Sizes 

MCU 

WIDTH LENGTH HEIGHT 

(MM) (MM) (MM) 

1 

25.1 (1.0 IN) 318 (12.5 IN) 194 (7.64 IN) 

2 

57.2 " " 

3 

90.4 " " 

4 

124.0 " " 

5 

157.2 " 

6 

190.5 " " 

7 

223.3 " " 

8 

256.3 " " 

9 

289.3 " " 

10 

322.3 " " 

1 1 

355.3 " " 

12 

388.4 " " 


4.2.2 

Module Descriptions 


4.2.2. 1 Fault-Tolerant Computer System 

The fault tolerant central computer is housed in some 
number of units depending on the design of the particular 
system. The assumption is made that the computer will have 
provision for a variable number of interface ports necessary 
to support the communication system. The central computer 
also is assumed to have the primary responsibility for the 
control, monitoring, and redundancy management of the commu- 
nication system. 
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4 . 2 . 2 . 2 


Servo Electronics Module 


These modules are a key part of the flight control func- 
tion. They provide the interface between the communication 
structure and the actuators and will normally contain-* digi- 
tal-^to-analog (d/a) converters, the servo positioning con- 
trol electronics, and, possibly, actuator monitoring and 
equialization circuits . 

A diagram of what may be contained in a servo electronics 
module is shown in Figure 6. The basic elements of the de- 
sign include-* the interface with the digital communication 
system to accept commands from the central computer, a d/a 
converter to put the command in the proper form for the ser- 
vo electronics, and the servo electronics themselves, which 
command the actuator to the desired position using position 
and possibly rate feedback signals. The module may also 

contain! the drives for the engage discretes to the actua- 
tors, equalization circuits that receive delta pressure sig- 
nals from other channels of a force-voted redundant actuator 
to prevent force fights, and monitoring circuits that use 
information such as the cross wired delta pressures to de- 
tect actuator failures. Most likely, a servo electronic 
module will be designed to control more than one actuator, 
either by duplicating the circuits within the unit or by 
demultiplexing the outputs of the d/a converter using sam- 
ple-and-hold circuits. Redundant electronics in two differ- 
ent servo modules may also control a single actuator chan- 
nel. This redundancy would achieve a more balanced design 
between the relative costs and reliabilities of the actuator 
versus the electronics. A single actuator channel can have 
a mean time before failure (MTBF) as high as 100,000 hours, 
where the electronics may have an MTBF around 10,000 hours 
but be considerably less expensive. Thus, the total design 
may be more balanced if an actuator continues service after 
a failure of the servo electronics channel by the utiliza- 
tion of redundant electronics and some technique like dual 
windings in the electro hydraulic valve. This redundancy 
can have a significant impact on the communication load by 
requiring two commands to be communicated for each actuator 
channel . 

Most likely, a basic design principle of future systems 
will be the complete monitoring of all units so any failure 
will be detected and the failed unit will be positively 
identified. In some cases, this may be performed by built- 
in test equipment. In other system designs, however, a 
higher level of failure coverage and a more effective total 
design can be achieved if the monitoring capability is pro- 
vided by other equipment and that the monitoring process be 
controlled by the central system. In the system design as- 
sumed for this study, the servo electronics modules are mon- 
itored by feeding the output signals back into the system 
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Figure 6 ‘ Typical Servo Electronics and Data Acquisition 
Units 
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using the data acquisition modules described next. The 
servo modules are then monitored by comparing the measured 
output with the intended command sent to the module. For 
the most critical channels, it may be necessary to feed the 
output commands into two different data acquistion modules 
for positive identification of the failure. Again, these 
additional signals can have a significant impact on the to- 
tal load on the communication system. 


4. 2. 2. 3 Data Acquisition Modules 

The system will use several data acquisition modules 
which convert all necessary analog ac and dc signals and 
discrete signals to the proper form and interface them into 
the communication structure. A diagram of a typical data 
acquisition module is given in Figure 6. Each data acquisi- 
tion module contains a set of signal conditioning circuits 
for the variety of typical signals on an aircraft. Among 
the most critical will be the servo monitoring signals and 
the pilot control input signals. These will include both dc 
and ac, such as from linear variable differential transform- 
ers (LVDT). Some form of standard unit will probably be de- 
veloped, such as the Analog and Discrete Data Conversion 
System (ADDCS) now being defined by an AEEC committee. In 
this standard unit, a mix of signals can be programmed for a 
particular application. The signal conditioning circuits 
may or may not be multiplexed, depending on what will give 
the most efficient design. Presumably one or more a/d con- 
verters will be multiplexed. The resulting data would be 
buffered and transferred to the central computer system 
through the communication system when requested. The data 
acquisition process will be controlled primarily by the mod- 
ule itself. The sampling sequence and rate may either be 
fixed or programmed by commands from the central system as a 
function of flight phase or equipment failure status. 


4. 2. 2. 4 Power Supply Module 

The electrical power conditioning and control module also 
has an important role in critical functions. A diagram of 
the module is shown in Figure 7. The module receives 
power from the auxiliary or ground power unit, and from the 
aircraft batteries. This module removes all power spikes, 
over- voltages , under- voltages , and interruptions caused by 
the raw supply sources. Since advancing technology reduces 
the size of the digital circuits, this design avoids the in- 
efficiencies of a power supply in each module which would 
otherwise require a large percentage of a typical unit vol- 
ume. Separate power supply modules also allow more flexi- 
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Figure 7 


Typical Power Conditioning and Control Unit 


bility in the reconfiguration of a system after failures. 
The module receives power from the aircraft primary genera- 
tor buses. 

Power from a power supply module is supplied to each of 
the other system modules through individual current regula- 
tor/circuit breaker circuits. The power supply module con- 
nects to the communication structure to allow the integrated 
system control of the power to the other modules. This 
ability has several advantages: First, the number of cir- 

cuit breakers necessary in the cockpit is reduced. Next, 
and probably most important, this ability can be used in the 
overall redundancy management of the system. Power can be 
removed from a failed module, greatly reducing the probabil- 
ity that it will have any adverse effect on any good module. 
Finally, power control can remove power from a module not in 
opeation, particularly when the aircraft is on the ground 
and the engines and environmental control systems are not 
running. This feature could significantly improve the envi- 
ronmental control problem. 


4. 2. 2. 5 Other Modules 

Other types of modules will be in the avionics compart- 
ments, as well. Many of these modules. will contain the sen- 
sors needed by the aircraft systems. The inertial sensors 
will probably be most flight critical and have a high data 
rate. These sensors include both gyros and accelerometers 
and provide data for the inter-loop flight control func- 
tions, as well as the altitude and inertial heading data for 
outer-loop functions. The inertial data may also be uti- 
lized for inertial navigation or inertial smoothing of radio 
navigation data. In some unique situations, inertial sen- 
sors may have to be put at remote locations in the aircraft 
either because of structural mode interaction or to directly 
sense a structural mode being controlled, such as a wing 
bending mode or flutter. In the above instances, the sen- 
sors would either be wired to electronics in the avionics 
compartments or to a remote data acquisition unit. Another 
important sensor module will be for air data. The primary 
pressure sensors will most likely be in this module. Other 
sensors, such as angle-of -attack vanes, will be remote and 
hard wired to the electronics module. 

Several modules will be devoted to radio navigation sen- 
sors, such as: VOR, DME, ILS, MLS, and Omega. Several radio 
communication modules will also be included*- VHF, HF, DABS, 
^and digital data link. Some modules will generate the sym- 
bology for the CRT type display in the cockpit, as well as 
the weather radar which will feed the radar data into the 
display generators. Finally, modules outside the central 
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computer will perform the data format conversion necessary 
to interface with the communication structure to serve the 
remote electronic units. 


4.2.3 Remote Electronics 
4.2.3. 1 Cockpit Electronics 

The primary flight and aircraft system displays are ser- 
viced by display generation electronics in the primary 
avionics area» which are connected to the cockpit by dedi- 
cated wires. However, numerous controls and dedicated dis- 
plays in the cockpit must be serviced by active electronics 
to eliminate an excessive number of wires. The most criti- 
cal electronics in the cockpit service the flight operation- 
al control and display unit. This unit, sometimes called 
the autopilot controller or glare shield controller, is the 
primary means for the pilots to control the operation of the 
automatic flight control system. These controls include J 

the selection and display of the commanded flight parame- 
ters, such as desired heading, altitude, and speed; the com- 
manded flight mode, such as control wheel steering; the au- 
tomatic coupled modes, such as cruise, approach, and 
landing. In addition, this unit will provide the primary 
display status of the control system including the warning 
of degraded functional capabilty due to equipment failure. 
Because of the critical nature of this unit, redundant elec- 
tronics will be involved. For this study, the unit will be 
serviced by two communication terminals for interface to the 
central system. Thus, the entire system will continue to 
function after any failure and have a functional reliability 
goal of 10”^ per hour. The controller is not fully flight 
crucial, however, since all critical functions can be per- 
formed either by other control units or by dedicated wires. 

Another essentially equivalent unit controls the electri- 
cal, hydraulic, fuel, and environmental control systems, and 
may also be involved in the control of the engines. Because 
of the critical nature of these controls, this unit will 
also contain redundant electronics with two communication 
system terminals. 

At least two terminals in the cockpit will allow the crew 
to communicate with the avionics system. These terminals 
will service a general purpose display and keyboard and op- 
erate like a conventional computer terminal. The unit will 
enter and review flight planning information, determine sys- 
tem status, allow manual involvement in the system reco- 
nfiguration process, and operate as a backup to the other 
controllers. This now gives a total of at least six termi- 
nals in the cockpit that must be serviced by the communica- 
tion structure. 
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4.2. 3.2 Remote Data Acquisition Units 


The system de 
includes at leas 
er a concentrati 
wing root area t 
vironmental cont 
well as signals 
will also be in 
unit (APU) and 
aircraft has eng 


sign for this primarily one location system 
t four remote data acquisition units wherev- 
on of signals exists Two will be in the 

o service equipment there, such as: the en- 

rol, electrical, and hydraulic systems, as 
coming in from the wings. Two other units 
the tail area to service the auxiliary power 
possibly auxiliary engine functions if the 
ines in the tail. 


These units 
riety of diffe 
synchro, and v 
of these signa 
or more a/d co 
for subsequent 
communication 
for status and 
into one unit, 
both units in 
communication 
nals would be 
area . 


will contain signal conditioners for a va- 
rent types of signals, including: ac, dc, 

arious kinds of discrete signals. The outputs 
1 conditioners would be multiplexed into one 
nverters. The resulting data will be buffered 
transmission to the central system over the 
system. Non-critical signals would be used 
maintenance monitoring and would be wired 
More critical signals would be wired into 
that area, thus increasing the load on the 
system. Most likely, any flight critical sig- 
wired directly to the primary electronics 


4. 2. 3. 3 Engine Electronics 


For this study, the engines will use full authority elec- 
tronic control. The engine manufacturer will provide the 
electronic fuel controls; these will be mounted directly on 
the engine. The electronics will have sufficient redundancy 
to give a total electronic reliability significantly better 
than the engine itself. The primary thrust command will 
reach the engine through the communication structure. Thus, 
each engine will have two terminals to provide the necessary 
reliability. The engine electronics are not directly in- 
volved in gathering data that is not needed for the control 
of the engine itself and is thus not the respo: 
the engine manufacturer. These include: data n( 

gine monitoring and maintenance trend analysis, 
and monitoring of engine accessories, such as 
hydraulics, and engine bleed air. These sign; 
wired into the wing root data acquisition units. 


irec 

tly 

in 

- 

the 

con 

tr 

ol 

sibi 

lity 

o 

f 

eded 

for 

e 

n- 

the 

con 

tr 

ol 

gene 

rate 

r s 


Is w 

ill 

be 



60 


4.2.4 Summary of Terminals 


The total number of terminals that must be supported by 
the communication system for the one location configuration 
is summarized in Table 16. A total of 66 terminals are in 
the primary electronics area, uith a requirement to communi- 
cate 16K 16 bit words per second. In addition, a total of 
16 remote terminals are distributed throughout the aircraft- 
6 in the cockpit, 2 on each of 3 engines, and 4 remote data 
acquisition modules which require another 2K words per sec- 
ond for communication . Thus > a total of 80 terminals re- 
quires the communication of almost 18K words. 


4 . 3 THREE LOCATION SYSTEM 

The three location system will be similar to the one lo- 
cation system. The compliment of electronic modules will be 
essentially the same, only with different locations. The 
assumed set of modules for each location is shown in Table 
17. The primary change will be the movement of the servo 
electronics modules to the wing root and tail areas closest 
to the actuators in service. The functions of the remote 
data acquisition units will be absorbed by data acquisition 
modules within the electronics areas. If advantageous, oth- 
er sensor units may be moved to different areas. For exam- 
ple, the inertial sensor modules may be brought to the wing 
root area if closeness to the aircraft's center of gravity 
were an advantage. 

The significant impact on the communication structure is 
that a great amount of critical data must be moved over 
longer distances between electronics areas. Thus, the na- 
ture of the long distance communication system may signifi- 
cantly vary from the one location system. 


4 . 4 EMBEDDED SYSTEM 

The equipment to be serviced by the communication system 
in the embedded system configuration remains essentially the 
same as the previous two system configurations. The only 
significant difference is the placement of much of the elec- 
tronics. By the end of the target time period it is assumed 
that technology will have progressed far enough that elec- 
tronics can be placed in almost any location without signif- 
icant reliability, maintainability, size, or cost penalties. 
With this capability available, electronics will most likely 
be placed in almost every piece of equipment. The most cru- 
cial function, in terms of the communication structure, is 
the support of electronics attached to the flight control 
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TABLE 16 


Sensor/Effector Units in the One Location System 


UNIT 

NUMBER 

SIZE 
(MCU ) 

DATA 

(MORDS/RATE) 

DATA RATE 
(WORDS/SEC) 

SERVO ELECTRONICS 

1 2 

3 

5/20 MS 

3000 

DATA ACQUISITION 

8 

4 

4<3 16/20 MS 
£ 48/SEC 
4<3 64/SEC 

7296 

INTERIAL SENSORS 

6 

8 

8/20 MS 
8/100 MS 

1920 

AIR DATA 

3 

4 

5/100 MS 

150 

VOR 

2 

2 

2/100 MS 

40 

ILS 

2 

2 

5/100 MS 

100 

MLS 

2 

2 

4/100 MS 
10/10 SEC 

82 

RADIO ALT 

2 

2 

1/20 MS 

100 

TACAN 

2 

3 

3/100 MS 

60 

ADF 

2 

2 

1/100 MS 

20 

GPS 

1 

6 

4/20 MS 
16/2 SEC 
100/2 MIN 

209 

TRANSPONDER 

2 

3 

2/4 SEC 

2 

DABS 

2 

2 

MAX 320/4 SEC 
NORM 4/4 SEC 

2 

VHF COMM 

3 

2 

1/SEC 

3 

ARINC DATA LINK 

1 

1 

14/2 SEC 

7 

HF COMM 

1 

6 

1/SEC 

1 

VOICE/TONE SYNTH 

2 

1 

20/SEC 

20 
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TABLE 16 


Sensor/Effector Units (Cont.) 


UNIT 

NUMBER 

SIZE 

DATA 

DATA RATE 



(MCU ) 

(WORDS/RATE) 

(WORDS/SEC) 

WX RADAR 

2 

8 

2/20 MS 

200 

FLIGHT DISPLAY 

3 

6 

6/20 MS 

1800 

GENERATOR 



30/100 MS 


SYSTEMS DISPLAY 

2 

6 

33/100 MS 

660 

GENERATOR 





FLUTTER CONTROL 

2 

6 

4/20 MS 

400 

POWER COND/CONT 

3 

8 

1/SEC 

4 

TOTALS IN 
PRIMARY LOCATION 

66 



1 6076 

REMOTE AVIONICS UNITS 

NUMBER 

DATA 

DATA RATE 




(WORDS/RATE) 

(WORDS/SEC) 

WING ROOT DATA AC2. 


2 

128/SEC 

256 

TAIL DATA AC2. 


2 

32/SEC 

64 

ENGINE CONTROL 


6 

2/20 MS 
1 0/SEC 

660 

FLIGHT CONTROLLER 


2 

10/100 MS 


SYSTEM CONTROLLER 


2 

10/100 MS 

200 

CONTROL AND DISPLAY 


2 

150/SEC 

300 

TOTALS UNITS 


1 6 


1680 

REMOTE 





TOTAL TERMINALS 


80 


17756 


actuators. Electronics are also likely to be directly 
associated with most of the aircraft systems, such as: elec- 
trical power, hydraulic power, environmental control, and 
the APU. Electronics involved with the engine, and particu- 
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TABLE 17 


Sensor/Effector Units in Three Location System 


UNIT 


NUMBER 


SIZE 

DATA 

DATA RATE 


(HOSE 

-MID-TAIL) 

(MCU) 

(MORDS/RATE) 

(UORDS/SEC) 







(NOSE-MID-TAIL) 

SERVO ELECTRONICS 

— 

10 

a 

3 

5/20 MS 

1666 1333 

DATA ACQUISITION 

2 

6 

4 

4 

4<3 16/20 MS 

1333 4000 2666 






S 48/SEC 







4<3 64/SEC 


INTERIAL SENSORS 

- 

6 

- 

a 

8/20 MS 
8/100 MS 

1920 

AIR DATA 

3 

— 

— 

4 

5/100 MS 

150 

VOR 

2 

- 

- 

2 

2/100 MS 

40 

ILS 

2 

- 

- 

2 

5/100 MS 

100 

MLS 

2 

- 

- 

2 

4/100 MS 
10/10 SEC 

a2 

RADIO ALT 

— 

2 

- 

2 

1/20 MS 

100 

TACAN 

2 

- 

- 

3 

3/100 MS 

60 

ADF 

2 

- 

- 

2 

1/100 MS 

20 

GPS 

2 

- 

- 

6 

4/20 MS 
16/2 SEC 

209 






100/2 MIN 


TRANSPONDER 

2 

- 

- 

3 

2/4 SEC 

2 

DABS 

2 

- 

- 

2 

MAX 320/4 SEC 
NORM 4/4 SEC 

2 

VHF COMM 

3 

- 


2 

1/SEC 

3 

ARINC DATA LINK 

1 

- 

- 

1 

14/2 SEC 

7 

HF COMM 

- 

- 

1 

6 

1/SEC 

1 

VOICE/TONE SYNTH 

2 

— 


1 

20/SEC 

20 


64 


TABLE 17 


Sensor/Effector Units in Three Location System (Cont.) 


UNITS 


NUMBER 


SIZE 

DATA 

DATA RATE 


(NOSE 

-MID-TAIL) 

(MCU) 

(WORDS/RATE) 

(WORDS/SEC) 







(NOSE-MID-TAIL ) 

WX RADAR 

2 

— 

— 

8 

2/20 MS 

200 

FLIGHT DISPLAY 

3 

- 

— 

6 

6/20 MS 

1800 

GENERATOR 





30/100 MS 


SYSTEMS DISPLAY 

2 

— 

— 

6 

33/100 MS 

660 

GENERATOR 







FLUTTER CONTROL 

- 

2 

- 

6 

4/20 MS 

400 

POWER COND/CONT 

2 

2 

2 

8 

1/SEC 

3 3 3 

TOTALS IN EACH 
LOCATION 

36 

28 

16 



4691 8089 4003 

TOTAL : 


80 




16783 

REMOTE AVIONICS UNITS 






ENGINE CONTROL 




6 

2/20 MS 
1 0/SEC 

660 

FLIGHT CONTROLLER 




2 

10/100 MS 

2 0 0' 

SYSTEM CONTROLLER 




2 

10/100 MS 

200 

CONTROL AND DISPLAY 



2 

1 50/SEC 

300 

TOTALS 

UNITS 



12 


1360 

REMOTE 

TOTAL TERMINALS 




92 


18143 


larly with the engine accessories, will probably 
significantly expand. 

However, electronics will not be scattered in the air- 
craft just for the sake of being scattered. Presumably, 
much of the electronics, such as *• the basic central computer 
system, navigation equipment, and communication equipment 
located in equipment bays in the one and three location sys- 
tem configurations, will remain in bays. The bays will be 
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retained for this equipment for maintenance convenience, and 
other logistics and installation reasons. 

A significant amount of other electronics uill be embed- 
ded in their respective equipments, particularly in the 
cockpit, around the engines, and in the primary aircraft 
equipment areas. The actual specifics of a candidate system 
configuration of an embedded system must necessarily be more 
speculative since it is in the distant future. However, to 
define a representative system as a baseline is crucial for 
analyzing the communication structure. In particular, the 
determination of how many communication terminals (nodes) 
must be serviced and what the data rates is vital for this 
analysis . 

The equipment used as a baseline for the embedded system 
studies is described in Tables 18 to 24. These tables gener- 
ally follow the equipment requirements given in Chapter 3. 
The number of nodes and the communication rate necessary to 
support the system are shown in the tables. The number of 
nodes is established by a trade-off between reliability and 
costs. For example, more than one sensor is serviced by a 
common node to reduce costs where there is no compromise in 
reliability. In other cases, a node is dedicated to a par- 
ticular sensor or piece of equipment because of reliability 
or physical location considerations. A summary of the base- 
line system configuration is given in Table 25. 


TABLE 18 

Flight Data Sensor 


PARAMETER 

ANGULAR RATE AND 
ACCELERATION 

FLUTTER SENSOR 

STATIC PRESSURE 

TOTAL PRESSURE 

TOTAL TEMPERATURE 

J 

ANGLE OF ATTACK 
MAGNETIC FIELD SENSOR 
TOTALS 


NODES 

6 

6 

3 

3 

2 

20 


DATA RATE 
(WORDS/SEC) 

1250 

1000 

160 

140 

20 

550 

600 

3720 
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TABLE 19 


Cockpit Controls and Displays 


PARAMETER 

NODES 

DATA RATE 
(WORDS/SEC) 

CONTROLS 

CONTROL WHEEL AND TRIM 

4 

600 

PEDALS 

4 

600 

THROTTLES | 

1 

10 

FLAPS 

r 

80 

SPEED BRAKES 


10 

NOSE WHEEL STEERING 

1 

80 

DISPLAYS 

FLIGHT DISPLAY GENERATOR 

4 

2,880 

SYSTEM DISPLAY GENERATOR 


5,280 

FLIGHT OPERATIONAL CONTROL 

CONTROL AND DISPLAY 

4 

2 , 880 

SYSTEMS CONTROL AND DISPLAY 

2 

500 

AVIONICS SYSTEM TERMINAL 

2 

800 

COCKPIT PRINTER 

1 

640 

TOTALS 

25 

14,360 


TABLE 20 

Flight Control Acutator Signals 


PARAMETER 

NODES 

DATA RATE 
(WORDS/SEC) 

WING DYNAMIC CONTROL AND 
CONFIGURATION CONTROL 

18 

3720 

TAIL DYNAMIC CONTROL 
SURFACES 

18 

1200 

LANDING GEAR OPERATION 

9 

1 1 1 

STEERING 

1 

100 

BRAKES 

6 

80 

TOTALS 

52 

52 1 1 
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TABLE 21 


Navigation 

PARAMETER 

VOR ANGLE 

DME DIST 

ADF BEARING 

ILS LOCALIZER 
ILS GLIDE SLOPE 

MARKER BEACON 

RADIO ALTITUDE 

MLS AZIMUTH 
MLS EVALUATION 1 
MLS EVALUATION 2 

MLS RANGE 
MLS DATA 

GPS RECEIVER 
GPS DATA 

GPS LINE OF SIGHT VEL 

WEATHER RADAR ATTITUDE STAB 

NAVIGATION FREQUENCY AND 
MODE CONTROL 

TOTALS 


DATA RATE 
(WORDS/SEC) 
192 

256 

192 

208 

208 

1 

340 

130 

130 

130 

130 

9 

16 

12 

800 

700 


105 

3559 


Sens 

NODES 

2 

2 

2 

2 

2 

2 

2 

2 

1 

1 

3 

2 1 
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TABLE 22 


Radio Communication Equipment 


PARAMETER NODES 

COMM RECEIVER FREQUENCY 3 

AND MODE CONTROL 

TRANSPONDER CONTROL 2 

ARINC DATA LINK 1 

PASSENGER SERVICE 

TERMINAL 1 

TOTALS 7 


TABLE 23 

Engines and Aircraft Systems 


PARAMETER NODES 

AIRCRAFT ENGINE 9 

HYDRAULIC 3 

FUEL 5 

ELECTRICAL 3 

PRESSURE/OXYGEN 3 

APU 2 

AIR CONDITIONING 3 

BLEED AIR/ANTI-ICE 6 

FLIGHT DATA RECORDER 1 

TOTALS 35 


DATA RATE 
(UORDS/SEC) 

105 

120 
1 10 

110 

445 


DATA RATE 
(WORDS/SEC) 

960 

96 

156 

168 

180 

1020 

180 

24 

768 

3552 
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TABLE 24 


Miscellaneous Equipment 


PARAMETER 


NODES DATA RATE 

(WORDS/SEC) 


FLIGHT DATA STORAGE UNIT 1 

AUDIO GENERATOR 2 80 

(TONE AND VOICE SYNTHESIS) 

TOTALS 3 80 


TABLE 25 
Summary 


EQUIPMENT CLASS 

WORDS/SEC 

NODES 

FLIGHT DATA SENSORS 

3720 

20 

COCKPIT 

14360 

25 

FLIGHT CONTROL ACTUATORS 

52 1 1 

52 

NAVIGATION 

3559 

2 1 

COMMUNICATIONS 

445 

7 

ENGINES AND AIRCRAFT SYSTEMS 

3552 

35 

MISCELLANEOUS 

80 

3 


26923 

163 


BITS/SEC (16 bit word) 


431K 


Chapter 5 


CANDIDATE COMMUNICATIONS SYSTEMS STRUCTURES 


Candidate communication system structures are now pro- 
posed for each of the three system configurations. The ba- 
sic communication techniques used to construct these candi- 
date communication systems consist of the following-’ (1) 
dedicated serial links from each device to the central com- 
puter (or intermediate communication controller), (2) a mul- 
tiplexed serial bus with several devices connected to the 
same wires, (3) a point-to-point communication network where 
devices are connected to each other and the central computer 
with multiple dedicated links, and (4) a local bus appropri- 
ate for communication within an avionics compartment and us- 
ing parallel wires for address, data, and control much like 
the internal bus in any computer system. Candidate communi- 
cation structures are composed of one or more of these basic 
techniques . 

This chapter first discusses some of the basic design 
choices made in constructing a communication system and how 
these options may be implemented in a broad range of candi- 
date designs. The candidates are then narrowed to those de- 
termined to be most promising and are then described in 
greater detail. The comparative analysis of these primary 
candidates is discussed in the following chapter. 


Broadcast data buses are not considered in this study. 
Broadcast buses are the basic philososphy of the current 
generation of commercial avionic systems. This technique is 
compatible with a federated system design philosophy. Each 
subsystem in a federated system either performs some func- 
tion or provides a particular type of data in an essentially 
autonomous way. The subsystems provide their data to the 
rest of the system using one or more broadcast buses. Mul- 
tiple bus drivers are sometimes used for critical data to 
prevent one receiver from failing in a way that would pre- 
vent data from being obtained by a receiver in a flight 
critical unit. Each subsystem that needs data from another 
subsystem has a dedicated receiver for the bus coming from 
that system. (In some cases, data may be passed through an 
intermediate third unit which already has the desired data 
to avoid the necessity of additional interface hardware.) 


This broadcast technique is 
for a highly integrated design 


not particularly appropriate 
with a central computer. Al- 
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most all data transfer is to and from the central computer 
system and the sensor and effector units. A broadcast bus 
from each peripheral unit normally has only one receiver at 
the central computer system and thus degenerates to a dedi- 
cated link system. A broadcast bus may be plausible for 
communication from the central computer to the remote units 
uhere addresses indicate uhich unit receives the data. This 
is a hybrid between dedicated lines and multiplex buses and 
is not specifically considered in this study. However, the 
characteristics of this combination can be inferred from the 
char ac ter is tics of the other combinations studied. 


5 . 1 BASIC DESIGN CONSIDERATIONS AND INITIAL COnnUNIC ATION 
STRUCTURE CANDIDATES 


The existence of hierarchical levels in the structure 
will have a significant influence on the nature of the com- 
munication system. Will the communication system provide a 
direct link from each device to the central computer, or 
will devices be placed in subgroupings with their own inter- 
communication and connected to a higher level communication 
structure through some intermediate communication control 
device? A multilevel structure could be used for both log- 
ical and physical reasons* A multi-level system might be 
used with a system design that grouped related equipment 
into functional subsystems, such as flight control, naviga- 
tion, display, etc. This type of system design is inconsis- 
tent with the highly integrated design assumed for this 
study and is thus not considered. A multilevel system could 
also be incorporated into the logical design of the fault 
tolerant concept, where any failure within a sub-grouping 
would be prevented from propagating to other areas. A mul- 
tilevel system could also be used either because of capacity 
considerations or limitations in device addressing capabili- 
ty of the particular technique. Some techniques, such as 
the local bus, cannot communicate over long distances; con- 
sequently, the physical requirements imply a second level 
for communications to remote units. 

In this study, we limit ourselves to one or two level 
systems. The local bus cannot be used for long distances 
thus can only be used as one level of a two level system. 
The other techniques can theoretically be utilised in a one 
level system or interchangeably on either level of a two 
level system. Therefore, three possibilities exist for a 
one level system, three possibilities for the upper level of 
a two level system, and four possibilities for the lower 
level, making a total of 15 system structures. Some of 
these combinations are impractical and can be eliminated. 
The relative characteristics of the remaining possibilities 
are discussed and narrowed down to those most promising. 


72 


In the one location system, if a local bus operates 
within the primary avionics location, a two level system 
must provide communications to the six remote terminals. 
Little physical justification would be possible for a two 
level system within the primary equipment location itself. 
However, there may be logical reasons, such as fault con- 
tainment or address space limitations. These factors are 
not considered in this study. Thus, for the one location 
system, three alternative single level communication struc- 
tures are considered, two level systems are considered with 
the local bus for in the primary avionics location, and 
three alternatives for the communications to the 16 remote 
terminals . 

The three location configuration will most likely be able 
to effectively use a two level system. A communication 

structure will be established within each location. An up- 
per level system will then provide communications between 
the avionics locations, the other remote terminals, and the 
central computer. If local buses are utilized in the avion- 
ic areas, a two level system will be necessary. The other 

techniques can still be used as a single level system or as 
two levels with various combinations for the upper and lower 
level. A two level system with dedicated links will have 
obvious advantages over a single level dedicated system. 
Significant wire is saved by having a terminal in each area 
that distributes the messages to the individual units in 
that area. The advantages of a two level multiplex or net- 
work system are less obvious but feasible. 

In the embedded system, many of the units to be serviced 
by the communication system are dispersed about the aircraft 
and offer little advantage for a two level system. In the 
early stages of the evolution toward an embedded system, 
much of the electronics will still probably be located in 
central areas. Within these areas there may still be an ad- 
vantage in using a lower level communication system. How- 
.ever, for the purposes of this study, the embedded system 
has been assumed to be the logical limit of a dispersed sys- 
tem, offering little advantage for a two level system. 
Therefore, only single level systems are considered in this 
study for the embedded system. 

The different communication structures considered are 
shown in Table 26. Only single level communication systems 
are considered for both the one location and the embedded 
systems, except for the servicing of the remote units when a 
local bus is used in the one location system. A full set of 
alternatives are considered for the three location configu- 
ration. The results of the tradeoffs for the three location 
apply, at least in part, to cases where a two level system 
may be used with the other system configurations. 
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TABLE 26 


Initial Communication Structure Candidates 


ONE LOCATION SYSTEM: 


ONE LEVEL 


TWO LEVEL 


DEDICATED BUS 
MULTIPLEX BUS 
MESH NETWORK 


WITHIN LOCATION 
LOCAL BUS 


DEDICATED BUS 
MULTIPLEX BUS 
MESH NETWORK 


TO REMOTE TERMINALS 


THREE LOCATION SYSTEM 


ONE LEVEL 


TWO LEVEL (ALL COMBINATIONS) 


WITHIN LOCATION 


AMONG LOCATIONS AND 
REMOTE TERMINALS 


DEDICATED BUS 
MULTIPLEX BUS 
MESH NETWORK 


DEDICATED BUS 
MULTIPLEX BUS 
MESH NETWORK 
LOCAL BUS 


DEDICATED BUS 
MULTIPLEX BUS 
MESH NETWORK 


EMBEDDED SYSTEM: 

ONE LEVEL 

DEDICATED BUS 
MULTIPLEX BUS 
MESH NETWORK 


5 . 2 COMMUNICATION STRUCTURE FOR THE ONE LOCATION SYSTEM 
5.2.1 Dedicated Bus 

The first communication structure considered for the one 
location system utilizes dedicated lines from the computer 
to each peripheral device. This option requires a minimum 
of hardware and complexity for the interface at the periph- 
eral unit, with only one channel in and one out. The remote 
units do not have to distinguish the address of messages 
since they are all for that unit. The timing constraints 
are also likely to be tight. The multiplicity of interface 
electronics is on the computer end. A dedicated interface 
is required for each external device. Although any practi- 
cal design presumably shares as much of the electronics as 
possible, the design is still cumbersome. 

Some of the primary advantages of a dedicated bus system 


are : 


* simple interface at the using equipment 
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^ simple communications protocol 

^ high throughput capacity 

^ high degree of fault isolation 

The interface at the using equipment and the protocol will 
be simple because the units do not have to read and decode 
addresses to determine if they will respond to the messages. 
The timing constraints can also be relaxed. A dedicated 
link will have high throughput since each link serves only 
one device. The communication channel does not have to be 
time multiplexed among a number of devices. A dedicated 
link system simplifies the task of assuring fault tolerance. 
Each link is independent and cannot fail in a way that af- 
fects other channels. 

The primary disadvantages of a dedicated bus system areJ 

* interface on the computer end is cumbersome 

* a very large number of wires is required 

^ the system will not be flexible or expandable 

A dedicated interface is mandatory for each piece of exter- 
nal equipment. Numerous wires are required to focus at the 
computer and make the installation difficult and heavy. 
More interface hardware must be added to the computer every 
time a new device is added, or additional spare interfaces 
must be included in the original system. Even with spare 
interfaces, more wire must be added. A more quantitative 
measure of the relative advantages and disadvantages is in- 
cluded in the next chapter. 


5.2.2 Multiplex Bus 

The next communication structure considered for the one 
location system is a multiplex bus system. The multiplex 
bus provides communication to a number of units using the 
same wires. Messages include an address which must be rec- 
ognized and decoded by each unit to see if the message is 
intended for it. More than one multiplex bus is used. The 
number of buses is determined by requirements for total sys- 
tem communication capacity, by the physical and logical lim- 
itations on the number of devices on a single bus, and by 
the need to isolate failures which could prevent the use of 
the bus for any of the devices connected to it. Since all 
devices on a single bus must share the time available, a 
number of buses is essential to provide the necessary commu- 
nications capacity. There is also a limit to the number of 
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devices that can be put on one bus, as well as limits to the 
electrical loading that can be accommodated, and the number 
of unique addresses available in the address space. The 
MIL-STD- 1 553B bus is limited to 30 terminals. The system 
designed for this study uses six buses. 

The basic configuration of the communication system using 
multiplex buses is shown in Figure 8. Each of the six buses 
has a primary and a backup controller to prevent most of the 
single point controller failures from causing the loss of 
all the units on that bus. The critical units are distrib- 
uted on the six buses so that all critical functions can 
still be performed after multiple bus failures. The most 
important units in this category are the actuator control 
modules. The analysis of a particular arrangement of these 
units is included in the reliability analysis in the follow- 
ing chapter. Each multiplex bus extends out of the primary 
electronics area to provide communication with the 12 exter- 
nal units. The assumed routing of these buses is shown in 
Figure 9 . 

Some advantages of the multiplex bus are J 

* reduced interface equipment at the computer 

* reduced interconnecting wiring 

^ flexible to system growth and modification. 

A multiplex bus system significantly reduces the number of 
interface circuits needed at the computer compared to a ded- 
icated bus system. The communications with a number of dif- 
ferent units can share the same channel using time multiplex 
techniques without the necessity of duplicating the inter- 
face for each unit. A similar advantage also applies to the 
amount of wire necessary to support these communications. 
In particular, the concentration of wire terminating at the 
central computer system is essentially eliminated. The sys- 
tem is also more flexible for system modification and expan- 
sion. More units can be added by attaching them to the bus 
at some point and adding them to the communication control 
software without any change in hardware at the computer and 
with minimal change in the wiring. 


* the 

* the 

* the 

* the 


the disadvantages of a multiplex system are: 
interface at the units is complex 
communications protocol is complex 
system throughput is limited 

system is vulnerable to a class of faults that 
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Figure 8: One Location Multiplex Bus System 



Figure 9: Multiplex Buses to Remote Terminals 
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can deny communications to a significant percentage 
of the total system 

The interface at the remote units and the protocol is more 
complex than necessary for a dedicated link system. Addi- 
tional circuits must be included to receive and decode both 
the unit address and the control messages, in addition to 
providing the proper messages in the required time interval. 
The throughput is less than a dedicated link since the chan- 
nels must be time shared among a number units. The through- 
put is also reduced because of the greater overhead neces- 
sary to support the communication protocol. The sharing of 
the communication channel among several different units also 
significantly increases the vulnerability of the system to 
common mode faults that can cause the loss of all of the 
units on that bus. These include: failures in the bus con- 
troller that are not detected and prevent the backup con- 
troller from taking over, physical brakes in the wire, some 
terminal failures, such as spurious tr ansmissions that can- 
not be stopped, and a terminal responding to the wrong ad- 
dress. These failures cause all units connected to this bus 
to be lost. Some of the more important units may have ter- 
minals on more than one bus; however these duplicate termi- 
nals increase the hardware requirements. 


5.2.3 


Network 


The next communication system defined for the one loca- 
tion system is a point-to-point network. Each unit is con- 
nected to a node in this network; each node has dedicated 
links to three other nodes, or a port into the central com- 
puter system. Communication is established to each unit by 
•growing* a bus; the bus is ’grown* by sending messages from 
the computer to the individual nodes starting with those 
connected to the computer. These messages close electronic 
switches that establish a path to all operating nodes. Once 
the nodes are interconnected, communication is carried out 
as in a multiplex bus system. The communication links are 
’grown* at system initiation, or any time a failure occurs 
in either a node or a link that disrupts communication to 
any otherwise good device. (See Volume 1, Chapter 3 for a 
more detailed description of how a network is ’grown*.) 

For the system designed for this study, the network is 
connected into the central computer through six ports. The 
nodes are connected together in a regular pattern, with the 
remote terminals included within the pattern of the network, 
as shown by the labelled nodes in Figure 10. The arrange- 
ment of these links in the aircraft is shown in Figure 1 1 . 


Some of the advantages of a network system are: 
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PRimRY AVIONICS LOCATION REMOTE TERMINALS 



Figure 1 0 : 


Mesh Network for One Location System 



Figure 1 1 •• Mesh Netuork to Remote Terminals 
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^ very high degree of protection against failure 
and damage events 

^ uniform availability of communication to units 

throughout the system in the presence of failures. 

A network system offers a very high degree of protection 
against virtually all types of equipment failures and damage 
events. A system has almost no failure modes that prevent 
communication with an otherwise good terminal. Communica- 
tion can only be lost because of multiple failures. A mesh 
network is also invulnerable to the types of common mode 
failures that simultaneously cause a significant percentage 
of the total system to be lost. In any system that uses 
buses, a class of faults can cause the loss of every device 
on a particular bus. These faults restrict the ability of 
the system to use all resources to effectively reconfigure 
itself. With a mesh network, information from all function- 
ing units is uniformly available throughout the system. 

Some of the disad vantages of network system are ? 

^ complex node interfaces 
^ restricted throughput 


The hardware in the interfaces in the nodes is greater than 
any of the other techniques, with at least three link inter- 
faces in each node. The node must also have the ability to 
simultaneously receive and respond to messages on all of the 
links. This ability is needed to receive reconfiguration 
messages to provide protection from certain types of fail- 
ures, which means that some of the control electronics must 
be duplicated. The disadvantage of complexity will diminish 
in time, particularly if a majority of the node functions 
are implemented in LSI circuits that are produced in rela- 
tively large numbers. 


The throughput of a mesh network system may be less rela- 
tive to multiple bus configurations. If the network system 
is configured as one logical bus, the capacity will obvious- 
ly be less than the bus system, assuming the same data 
rates. A network can be configured as more than one logical 
bus to increase the capacity, or dedicated links can be es- 
tablished between nodes where the data rate is high. These 
multiple links may not be supported after failures, however, 
thus reducing throughput. The system, of course, will be de- 

these 
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5 . 2.4 


Local Bus 


The final candidate communication structures defined for 
the one location system are based on the use of local buses 
within the primary electronics location. This system is 
logically similar to the multiplex bus system, with six bus- 
es, each controlled by a primary and backup controller. 

Since this local bus is inappropriate for long distances,' 
another level of communication is necessary for the remote 
terminals. These remote terminals can be serviced by dedi- 
cated links, multiplex buses, or a network. 

Dedicated serial buses are a leading candidate for commu- 
nication to the remote terminals. At least some of the data 
will be very critical, particularly the operational control 
data to the cockpit and the engine thrust control data. To 
support this critical data, at least four multiplex buses 
are required, or a network with at least four ports into the 
fault tolerant computer. Therefore, the small number of 
terminals is not likely to justify the complexity of a mul- 
tiplex bus or network. A multiplex bus would have only 
three or four terminals. Although some of the signals are 
critical, they are not crucial enough to justify the fault- 
and damage-tolerance characteristics of a network. 

S.ome advantages of a local bus system include: 

* simple interface at both the central computer 
and the peripheral unit 

^ high throughput 

The primary advantage of using a local bus within an avion- 
ics compartment is the simplicity of the interface equipment 
and protocol. A local bus can be designed to closely relate 
to the internal bus structure normally found not only in the 
central computer system, but also in the microcomputers that 
are likely to be a part of almost every module. Consequent- 
ly, considerably fewer data format conversions and less 
hardware lie between the existing internal buses and the 
communication structure. Also, the throughput can be con- 
siderably greater than other techniques for two reasons: 
First, the data can be transmitted in parallel as opposed to 
the serial transmission used for all the other techniques 
studied. Second, the communication overhead and conversion 
delays can be considerably reduced. 

Potential disadvantages of a local bus communication 
structure are: 

^ cannot be used over long distances 

^ numbers of wires, connectors, and associated failure 
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rates can be large. 

A local bus is impractical over long distances for several 
reasons: The primary problem is the large number of wires 

involved, particularly if data and address are transmitted 
on separate and parallel lines. The number of lines can be 
reduced at the cost of greater complexity if data and ad- 
dress are multiplexed on the same lines or if one or both 
are transmitted with a serial technique. Separate control 
and clock lines will still exist, otherwise the advantage of 
simplicity will be lost and the technique will degenerate 
into the multiplex bus technique. These large numbers of 

wires have the obvious disadvantages of high installation 
weight, complexity, and cost. The signal levels for a local 
bus may also be inappropriate for long distances. The immu- 
nity to interference may be degraded and problems may arise 
due to time skew between signals on parallel lines. The 
primary disadvantage of the inability to use the local bus 
over long distances is that a two level communication struc- 
ture must be used. Extra hardware must translate from the 
local bus to the communication technique used for the remote 
terminals. The commonality and uniformity of the communica- 
tion structure will thus be lost. 

The large number of wires and associated connectors lead 
to another disadvantage. Several failure modes, such as •• 
broken or shorted wires, bad connections, and faults in line 
drivers and receivers, are generally directly proportional 
to the number of lines involved. This number is signifi- 
cantly greater for the local bus than the other techniques. 
Also, a large number of line buffer circuits are needed and 
may require a special design to reduce the possibility of 
failures that cause the loss of the entire bus. 


5 . 3 THREE LOCATION SYSTEM 


The three location system configuration creates a poten- 
tial for more communication structure candidates. All of 
the single level configurations are still potential candi- 
dates for the three location configuration. Also, potential 
justifications exist for two level structures, one level 
within a location and the other among these primary loca- 
tions and remote terminals. Many of the communication can- 
didates will be similar to the one location configuration, 
while others will vary due to the change in the basic system 
configuration. 


The one level candidates using dedicated, multiple 
and network communication techniques, will be almost i 
cal. The logical organization and the interface har 
will be the same. The nature of the communication s 
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remains unchanged by the added distance betueen the central 
computer system and the peripheral terminals. The only sig- 
nificant difference uill be the lengths of the interconnect- 
ing wires. The length of the wire has virtually no effect 
on the dedicated and network candidates, except for the cost 
and weight of the installation, which is more than offset by 
the significant reduction in the length of dedicated signal 
wire between the electronics and the equipment served, as 
shown in Chapter 3. The length of wire may have some effect 
on the multiplex bus system. Care must be exercised in 
routing the buses to assure that they do not become too long 
as far as loading is concerned. The routing must also as- 
sure that the system is not vulnerable to single point dam- 
age events. These problems should be surmountable, however, 
and the one level multiplex bus system will then have essen- 
tially the same characteristics as it did for the one loca- 
tion configuration . 

The three location configuration makes many different 
communications structures theoretically possible if two hi- 
erarchical levels are used. A candidate structure could be 
formed from all combinations of techniques on the two levels 
except that the local bus would be unused on the upper lev- 
el. This would have the potential for the full 12 different 
two level structures. Several of these can be eliminated as 
implausible alternatives . 

First, consider the combinations with the multiplex bus 
at the lower level. One possible justification for this 
candidate would be the need for increased throughput. As 
discussed for the one location system, at least six buses 
are needed to provide the redundancy necessary to meet the 
reliability requirements. These six buses would have ample 
capacity to meet the throughput requirements projected for 
the system. Thus, if each of the peripheral units has the 
capability to communicate on a multiplex bus, little logic 
exists in interposing any kind of intermediate communication 
controller between that unit and the central computer. This 
additional unit would only contribute to complexity, cost, 
and reduced reliability without making any compensating po- 
sitive contribution. From these arguments, all candidates 
involving the multiplex bus on the lower level offer no ad- 
vantages and can be eliminated. 

Similar arguments can be made for structural candidates 
with a network on the lower level. A network logically op- 
erating as a single bus may have difficulty meeting the 
throughput requirements of some systems. However, these 
problems can best be solved by providing dedicated links be- 
tween communication nodes where high data rates are re- 
quired. Much of the fault tolerance of the network system 
would be lost if the system were divided into two levels. A 
much higher degree of fault tolerance can be achieved by 


85 


maintaining a globally homogeneous organization, where the 
network controller makes any combination of connections nec- 
essary with any node in the system. Again, by these argu- 
ments, all two level structures where the lower level is a 
network are eliminated from consideration. 


An advantage for a two level system may exist when dedi- 
cated links are used on the lower level. Considerable wire 
could be saved over a one level dedicated system if communi- 
cation terminals in each location could receive messages 
from the central computer and distribute them to the units 
at that location. The upper level communication technique 
could be one of three alternatives; however, only a limited 
number of terminals must be interconnected on the upper lev- 
el. Also, many of these terminals must handle a relatively 
high data rate and are critical to the reliability of the 
system. Thus, each of these terminals should have its own 
dedicated link to the central computer system. A multiplex 
bus or network system would be unjustified for these few im- 
portant terminals. The candidate selected thus has dedicat- 
ed links on both levels. This configuration has the disad- 
vantage of signif icantly increasing the effect of single 
point failures within these communication terminals. Some 
form of redundancy and the associated redundancy management 
would be needed, such as redundant circuits within the ter- 
minals or the use of multiple terminals within each loca- 
tion . 


The final set of candidate structures has the local bus 
on the lower level. The candidate structure using local 
buses will thus be similar to the one location candidate. 
In this case, two of the six local buses are placed in each 
location. For some central computer designs, support of 
these remote locations is possible without creating an addi- 
tional level in the communication structure. The interface 
between the central computer and the local bus will be de- 
signed with the ability to communicate over the greater dis- 
tances involved. The logical design and the great majority 
of the hardware will be the same as for the one location 
configuration. The communications to the remote units would 
also be simplified. Kow fewer terminals exist since the re- 
mote signal multiplex units have been absorbed into the two 
additional locations. Also, the interface units for the 
links to the remote terminals can be placed in the nearest 
locations. For example, the links for the engines in the 
wings would originate in the wing root electronic location. 

Thus, the candidate structures for the three location 
configuration are essentially reduced to those for the one 
location configuration. The only new candidate is the two 
level dedicated link system. The advantages and disadvan- 
tages are also virtually the same for similar candidates. 
The two level dedicated link system will have the previously 
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discussed advantage of significant uire savings over a one 
level dedicated system, but have the disadvantage of added 
failure modes. 


5.4 

ENBEDDED SYSTEM 

The embedded configuration in this study represents the 
limiting extreme of systems likely to emerge by the end of 
the target time period. These systems are assumed to be 
fully dispersed, with electronics embedded within sensors, 
actuators, and other pieces of aircraft equipment, as de- 
fined in the previous chapter. Although any pratical system 
will still probably have electronics in equipment compart- 
ments, for the purposes of this study the electronics are 
assumed to be fully dispersed. This configuration thus es- 
tablishes a logical extreme in the environment it creates 
for the communication requirements. Consequently, this lim- 
iting configuration will have significant implications on 
the appropriate candidate communication structures. 

Several combinations of structures can be eliminated as 
impractical or impossible^ The local bus cannot be used 
since it is not usable over a significant distance in an un- 
protected environment. Thus, any candidate configuration 
with a local bus can be eliminated. A system using dedicat- 
ed links connecting a central computer system to 150 plus 
terminals would be so awkward that it also does not need to 
be considered. Therefore, the only . candidates considered 
are those that use multiplex buses or mesh network. 

Two level communication candidates are also not consid- 
ered. The same arguments can again be made to eliminate the 
two level multiplex bus or network candidates in the three 
location conf igur ation . Thus, the candidates are reduced to 
twos a one level multiplex bus system and mesh network. 


5.4.1 Multiplex Bus for the Embedded System 


The multiplex bus retains the same characteristics of the 
current MIL-STD- 1 55 3B . Therefore, each bus is limited to 30 
terminals. At least six buses must be used with essentially 
the same logical configuration used for the one and three 
location configurations. The problems of arranging viable 
paths for the buses are more severe, however. In the one 
and three location configurations, a majority of the termi- 
nals are relatively close together, with only a few remote 
terminals. These remote terminals can be serviced with rea- 
sonable bus connection designs, as shown in Figure 9. The 
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loss of communications to any of these remote terminals is 
not immediately catastrophic and so physical damage to the 
bus is not an overriding consideration. The embedded con- 
figuration considerably complicates the situation by impos- 
ing conflicting requirements. Highly flight critical func- 
tions must be performed throughout the aircraft. The most 
critical tasks for the communication system is to provide 
commands to the flight control surface actuators in the 
wings and tail. Thus, redundant buses are essential for 
each of these critical locations. Significant problems are 
likely, however, if all redundant buses are routed to all 
locations. First, to design a bus that is consistently re- 
liable over the long distances involved may be difficult. 
The A version of MIL-STD- 1 553 limited total length to 91 me- 
ters (300 feet). This limitation is removed in the current 
B version so no formal restraint exists from attempting 
longer bus lengths. This does not mean all problems would 

be trivial, however. A single bus designed to support all 

areas of the aircraft could be as long as 200 meters. A bus 
run out into a wing must return before going to the the oth- 
er wing or tail. A bus this long is likely to be vulnerable 
and difficult to design. Also, much wire, and thus an in- 
crease in the installation cost and weight is required. 


Probably the most important consideration 
of a multiplex bus system is vulnerability to 
age. If it is necessary to route all redundan 
parts of the aircraft for reliability reasons 
section of the system to damage is made very 1 
part of the aircraft is subs tantially damaged, 
centage of the total communication capability 
could be lost with the unacceptable probabili 
strophic system failure. 
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The solution to the problems of excessive bus length, 
wire weight, and damage vulnerability is a significant in- 
crease in the number of buses. This design requires a com- 
plete set of redundant buses for each major location, such 
as each wing and tail. The design thus becomes increasingly 
awkward. A large number of ports will be required at the 
central computer system. The system is susceptible to fail- 
ure modes that cause the loss of a bus, and thus loss of all 
devices on that bus. 


5.4.2 Network for the Embedded System 

Because of these problems with a multiplex system, this 
study is primarily concerned with a mesh network system, A 
mesh network provides a homogenous, highly damage tolerant 
technique for providing communication to all devices 
throughout the aircraft and has no failure modes to cause 
simultaneous loss of multiple resources. 
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‘ Once a decision is made to use the point-to-point network 
technique for the embedded system, the network must be care- 
fully implemented to develop a* total stucture that effec- 
tively meets all requirements. The network can be laid out 
in the aircraft in several ways; these will be discussed, 
analyzed, and compared. 

The most s tr aightf owar d design for the network is a uni- 
form, logical, rectangular layout. The design is shown in 
Figure 12. The pattern is one of regularly connected hexa- 
gons or bricks. The rectangle is laid out to conform to the 
fuselage to minimize the wire length as much as possible, 
with the edges connected to complete the pattern. Of 
course, some areas have concentrations of communication 
nodes, particularly in the cockpit and wings. Figures 13 
and 14 show possible detail in the cockpit and wing, re- 
spectively. Note that nodes physically adjacent tend to be 
connected. In particular, redundant nodes on the same LRU 
are connected. For example, a triply redundant hydraulic 
actuator is attached, as shown in Figure 15. 


TO OTHER USERS 



O NODES 


Figure 15^ Network Connection to a Triplex Actuator 


Somewhat higher reliability can be achieved by logically 
separating these nodes in the network. However, such sepa- 
ration increases the complexity and wire length without any 
significant increase in the total system reliability. As 
seen in Figure 15, the actuator, as a unit, has five links 
in the rest of the network to provide greater reliability 
than the actuator itself. 
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Figure 12= Mesh Network for Embedded System 
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Examination of Figures 13 and 14 show that the regular 
arrangement of node interconnections leads to an excessive 
number of links connecting various parts of the aircraft; 
for example, 14 links go into the wing. The amount of wire 
can be significantly reduced without compromising safety, by 
establishing regular networks in various places in the air- 
craft where concentrations of nodes exist. These subnet- 
works are then interconnected by a sufficient number of 
links to give the required reliability. One possible con- 
figuration is shown in Figure 16. 

A specialized network could be designed with each node 
having only enough interconnection to provide adequate reli- 
ability and dispatchability , taking into consideration what 
type of unit is attached to the node. Also, the intercon- 
nection between nodes could be specialized. The result 

would be some wire saving, but the design problem is greatly 
complicated by the necessity of assuring no way exists for 
the isolation of a crucial set of nodes after a small number 
of failures. This problem is worsened by the possibility 
that the aircraft must be dispatched with one or two exist- 
ing node failures . 
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Figure 13= Mesh Network in Cockpit 
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Figure 14 j 


Mesh Network in Wing 
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Figure 16: Interconnected Meshes 


94 


I 


Chapter 6 

TRADE-OFF ANALYSIS 


Several communication structures were described in the 
preceding chapter. In this chapter, an analysis of the dif- 
ferences between these alternatives is made to determine 
their effectiveness in avionic system applications. Several 
factors can be used to measure the relative worth of differ- 
ent alternatives. To determine the desirability of the dif- 
ferent alternatives, consideration must be given to the 
overall performance and cost effectiveness of the system. 
Measures of the system's performance include^ capacity, re- 
liability, and availabili ty . Cost effectiveness is deter- 

mined primarily upon the cost needed to support the system, 
which includes maintainability and adaptability, in addition 
to the original cost of development and production. 
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However, the reliability analysis of the 
structure does become an important indirect 
trade-off among alternative designs. The bas 
tics of the system are dominated by how effe 
sign can meet the reliability requirements, 
characteristics that enhance reliability can 
quirements at a lower total cost. The reliab 
es are thus reflected in other areas, such as 
formance or especially lower life cycle costs 
reliability analysis establishes a basis for 
parisons, and thus forms a major part of this 
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Capacity characteristics have much the same role as reli- 
ability characteristics in that all communication systems 
must provide the required capacity. Systems with inherent 
characteristics that provide more efficient capacity will 
have advantages in other areas, such as life cycle costs. 
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‘ This chapter first discusses the reliability analysis 
technique used in this study. (A more complete description 
of the technique is given in Volume I, Chapter 6). The re- 
liabilities of the candidate systems are then analyzed and 
compared. Next^ the capacities of the various candidates are 
discussed. This reliability and capacity analysis provides 
the basis for many of the basic design decisions made in 
forming the candidate structures described in the preceding 
chapter. With the reliability and capacity requirements es- 
tablished, the other characteristics of the candidate sys- 
tems are discussed to help determine the best candidates for 
particular applications . 


6 . 1 BASIS FOR THE RELIABILITY ANALYSIS 

The purpose of the reliability analysis in this chapter 
is to determine the contribution made by the various candi- 
date communication structures to the probability of failure 
of the critical functions performed by the total system. In 
Volume I of this study, general measures of the reliability 
of communication techniques were discussed, such as the con- 
nectivity of mesh networks. In the final analysis, however, 
the reliability of a communication structure cannot be fully 
resolved in isolation from the particular critical functions 
it is supporting. Th’erefore, the analysis in this chapter 
measures the reliability of the communication function in 
the context of the critical avionic functions. 

To perform a reliability analysis on a complete system, 
much less several alternate systems, would be too big a task 
and not within the scope of this study. However, the reli- 
ability of the communication system can be effectively eval- 
uated by analyzing a subset of the total system, represent- 
ing the most critical communication tasks. The task chosen 
for this particular study is the pitch control function, of- 
ten the most critical function in a fly-by-wire flight con- 
trol system. 

To create a realistic environment for the communication 
system, a representative actuator configuration is used. 
This configuration is necessary to define how communication 
failures contribute to failure of the function. Failure of 
the function will depend on various combinations of failures 
of actuator channels. Certainly, no one communication chan- 
nel to a particular piece of equipment will be critical. A 
certain level of redundancy will be used both in the actua- 
tor and the surfaces. A critical communication failure will 
occur if communications are lost to the minimum set of actu- 
ator channels. Furthermore, the significance of a communi- 
cation failure must be judged in relation to failures of the 
actuators and other system elements. Combinations of fail- 
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ures must also be considered. If actuator channels have 
failed, communication failures uill be significant if they 
cause loss of communication to the remaining good channels. 

A typical configuration for the primary equipment in- 
volved in providing the pitch control function has been cho- 
sen for this study, which realistically exercises the commu- 
nication function. Presumably, the aircraft is built with 
reduced static stability and fly-by-wire linkage, thus com- 
pletely dependent on the pitch control electronic function. 
If the electronic system fails, the aircraft is immediately 
lost so that a high degree of reliability and thus redundan- 
cy is required. Consequently, four pitch control aerodynam- 
ic surfaces are used, each surface controlled by a triplex 
force voting actuator. 

Each actuator channel has two failure modest a passive 
mode and an active mode. A triplex actuator can sustain one 
active failure or two passive failures. The aircraft itself 
can sustain the loss of two surfaces. Therefore, the mini- 
mum set of equipment that must be operating is two surfaces, 
each controlled by a redundant actuator with a minimum of 
two channels operating if one channel has failed actively, 
or one channel operating if two have failed passively. 

The central computer system is not included in the reli- 
ability analysis since the computer has a very high level of 
reliability. In addition, failure modes of the computer do 
not interact with failure modes of the communication system. 
Hence, if the computer has not failed, then it can complete- 
ly support the communication system. Since unique interface 
circuits in the central computer system are included with 
the communication link, the total reliability of the func- 
tion can be determined by adding the failure rate of the 
computer to the failure rate of the rest of the system. 

Representative numbers for the probability of failure in 
the actuator channels provide a consistent basis to compare 
the contribution of the communication structure. The servo 
electronics are included with the hydraulic channel since 
one cannot operate without the other. The numbers chosen 
for the combined hourly failure rates are *• 

3.0 X 10“^ for a passive failure 
3.0 X 10’** for an active failure 

Conservative rates are chosen to create a realistically com- 
plex environment for the communication system. 

The baseline reliability requirement for the pitch con- 
trol function assumed for this study is a failure rate of 
10’^ per hour at the end of a 10 hour flight. A flight time 
is given because the failure rate for a highly redundant 
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system will be a strong function of time. The failure rate 
uill increase due the failure of redundant resources. It is 
thus required that the instantaneous failure rate at the end 
of the expected operational time of the aircraft be uithin 
the required value. The probability of functional failure 
of the system during a short period of time at the end of 
the flight will thus be approximately this maximum failure 
rate times the time period. A nominal maximum operational 
time for a commercial aircraft is assumed to be 10 hours. 

In addition, this reliability requirement must be met 
with any component failed at the beginning of the flight. 
This requirement is necessary, otherwise all equipment must 

work at dispatch. The levels of redundancy necessary to 

meet the reliability requirements will involve a large num- 
ber of elements. The probability that all of these are 

working at dispatch may be too low to be acceptable for com- 
mercial operations. A fault-tolerant system can reconfigure 
available resources to assure that the most critical func- 
tions are performed. Thus, any practical design will in- 
clude more resources than the minimum required for opera- 
tional reliability. These additional resources will allow 
dispatch with one or more elements failed. The end result 
will be a significant increase in dispatchability over cur- 
rent experience. This philosophy is used in the communica- 
tion systems considered in this study. 


6 . 2 RELIABILITY ANALYSIS OF CANDIDATE ARCHITECTURES 

A reliability analysis for the critical elements involved 
in the pitch control function will be made for each candi- 
date architecture. The analysis technique used is the reli- 
ability equation method, described in Volume I, Section 6.7. 


6.2.1 One Location Configuration 
6.2. 1.1 Dedicated Links 

The dedicated link system is simple enough that a direct 
computation of reliability is practical. The other system 
configurations cannot be analyzed as easily, however. 
Therefore, the equation diagram method is used for the dedi- 
cated link system, both to maintain consistency with the 
analyses of the other systems and to begin the explanation 
of the reliability analysis with a less complex system. 

The reliability analysis will be discussed in terms of 
the steps described for this technique in Volume I. These 
steps are summarized here, along with their application to 
this system. 
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step 1 2 


Partition the System into Basic Elements. 


First# the system must be partitioned into elements. A 
diagram of the critical parts of the system using dedicated 
links is shown in Figure 17. The partitioning of this sys- 
tem is straight foward. Since a dedicated link exists for 
each actuator channel# the communication channel can be com- 
bined with the servo electronics and the hydraulic actuator 
channel. If any of these components fail# the others in the 
serial chain cannot be used. Consequently # this system can 
be described using only one type of element# which includes 
all of these components# including the dedicated parts of 
the link interface within the central computer system. The 
entire system is modeled by 12 of these elements. 

Step 2 - Identify Events that Define the State of Each Ele- 
ment 


The condition of this one type of element can be defined 
by three states^ (1) the good state# (2) the failed state 
with the actuator failed passively# and (3) the failed state 
with the actutor failed actively. The probability rate of 
entering a failed state is the failure rate of the link# as- 
sumed here to be 1.0 x 10"**# added to the appropriate rate 
for the actuator channels. 

Step 32 Select an Order for the Application of the Equations 


An order must be selected to incorporate the elements 
into the reliability analysis. Dependency primarily deter- 
mines the order in the analysis of most systems, i.e.# how 
one element depends on others for proper operation. In the 
dedicated link system# none of the elements depend on an- 
other; thus the order can be somewhat arbitrary. To simplify 
the diagram# a minimum sequence of elements is chosen to ac- 
complish system success. The sequence chosen here is first 
link/actuator channels 1 and 2. If both are good# the oper- 
ation of one surface is assured independent of the state of 
channel 3. For symmetry# channels 10 and 11 are chosen 
next. If these two channels are good# a second surface is 
operational and thus the pitch function is assured. The se- 
quence for the remainder of the system is determined prima- 
rily by how elements are added to replace failed elements# 
described in Step 4. 

Step 42 Construct the Diagram of the Equations 
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Figure 17: Dedicated Bus System for Pitch Contr 
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The equation diagram is now constructed using the analy- 
sis program described in Volume I; the results of this pro- 
cess are shown in Figure 18. The label chosen for the basic 
system element is "dac” for dedicated link/actuator. A num- 
ber is attached to distinguish which element is considered. 
The process of building the equation diagram begins by en- 
tering the codes for channels 1, 2 , 10/ and 11. The first 

state considered by the program is all of the elements good. 
If these four elements are good, the pitch function is good 
independent of the state of any other element. The unreli- 
ability of 0 can then be specified by entering "qO”. The 
next system state prompted by the program is channel 1 1 
failed passively, with the other three channels still good. 
Channel 12 must be added to account for the possibility that 
is has failed actively. If it has not, the unreliability is 
still 0; if it has, another channel must be considered. 
Channels 4 and 5 are now added. If both are good, the unre- 
liability is again 0. If not, channel 6 is again added. If 
this surface is also not functioning, channels 7, 8, and 

then 9 are added in the same way as the previous c.hannels. 
For the states of any successful channels, the system unre- 
liability is again 0. For states of unsuccessful channels, 
the unreliability of the system is now 1 since three surfac- 
es have failed and no other resources are available. 


The process of 
ues by accounting 
by the program, 
first to go down 
to fill in the br 
corner and moving 
finished . 


constructing the equation diagram contin- 
for the system states as they are prompted 
The pattern followed by the program is 
the left hand edge of the diagram and then 
anches beginning from the bottom left hand 
up and to the right until the diagram is 


Step 5- Compute the System Unreliability 


The analysis program automatically computes the unreli- 
ability for each branch when all necessary information is 
available. Thus, when the diagram is complete, the computed 
unreliability will be available, as shown in Figure 18. In 
this diagram, the number at the top is the unreliability of 
the system. Under that number are those components summed 
to give the top number. These numbers are the result of the 
analysis of the remainder of the system, given the state of 
the first element. This state is shown by the code above 
the number. The analysis that produces each of these num- 
bers is shown by the branch of the diagram. The same pro- 
cess is repeated at each level until the system is deter- 
mined to be either good or failed. A more complete 
description of this analysis process is given in Volume I. 
This diagram gives the unreliability after one hour, assum- 
ing all components are good at the beginning. The failure 
rate of a highly redundant system is a very strong function 
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of time. The present version of the program cannot directly 
compute the failure rate as a function of time. This fail- 
ure rate can be estimated, houever, by computing the unreli- 
ability at two times at the end of the required time period. 
Figures 19 and 20 give the unreliability at 9 and 10 hours 
respectively . 

The unreliability analysis can now be interpreted to de- 
termine the implications for comparison with other system 
designs. The dramatic growth in the unreliability as a 
function of time can be seen by comparing Figures 19 and 20. 
The unreliability increases by almost 6 orders of magnitude 
between 1 hour and 10 hours. To be conservative in this 

analysis, the total unreliability after 10 hours will thus 
be used to determine how well the system meets its require- 
ments . 


Even 
exceeds 
der the 
ginning 
initial 
various 


after 10 hours the analysis shows that the system 
the requirements by several orders of magnitude un- 
conditions that all equipment is working at the be- 
of the time period. The unreliability for different 
failure conditions can be determined by looking at 
branches of the equation diagram. 


The unreliability of the system with one channel failed 
passively can be seen in Figure 20 on the third line, column 
four to be 9.7 x 10“'’'*. The unreliability is approximately 
two orders of magnitude less than the system with no initial 
failures. The unreliability of the system with one channel 
failed actively can be seen at location 3,7 to be 1.3 x 
10"^^, another order of magnitude larger. The unreliability 
of the system after one surface is completely lost is 5.6 x 
1 0 ' ^ , as shown at the location 7,4. 


This analysis shows that this system exceeds the require- 
ments. The development of a system intended to go into a 
production aircraft would likely have a finer tuned design 
that would not exceed the requirements as much, allowing 
some savings in hardware. However, for the purposes of this 
comparative analysis, a conservative approach is taken to 
fully exercise the communication system. 
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Figure 18: 


Reliability Equation Diagram for the Dedicated 
Link System Time = 1 Hour 
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Figure 20: 


Reliability Equation Diagram for the Dedicated 
Link System Time = 10 Hours 
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dedicated link system. The steps taken are briefly 

discussed, uith emphasis on any different aspects. 

In the first step, the system is partitioned into two ba- 
sic elements: one is the actuator channel which includes 

both the servo elecronics and the hydraulics. The other el- 
ement encompasses both the controllers and the bus itself. 
These two types of elements cannot be combined into one 
since the failure of one actuator channel does not cause the 
loss of the bus or the other actuator channel on that bus . 

The two controllers and the bus itself can be combined 
into one element for the total system analysis. The commu- 
nication function is not lost on that bus for most of the 
failure modes of one controller, although it will fail if 
both controllers fail or if the bus itself fails. The way 
the bus fails is not significant as far as any interaction 
with the failure of other elements. The failure mechanism 
within the bus element can be separately analyzed and the 
resulting net failure rate used in the analysis of the total 
system. This situation significantly simplifies the analy- 
sis of the total system. 

The actuator element again has active and passive failure 
modes, as dicussed earlier. The failure rates will also be 
the same, as previously assumed. The bus element will have 
only two states: good and failed. The .failure rate for the 
controller is assumed to be 1 . 0 x 10’**. The bus can fail 
either from broken or shorted wires or from any failed units 
on the bus that prevent its use. These failures not only in- 
clude grounds or highs on the bus, but also include more 
complex failure modes, such as responding to the wrong ad- 
dress or transmitting when not commanded. Also, many other 
units exist on the bus, other than those shown* in Figure 21 
which directly involve the pitch control function. As many 
as 20 other units on each bus are not directly involved in 
the pitch control function but can become indirectly in- 
volved since they are attached to the same bus carrying 
pitch control commands. The bus interfaces in the units 
will be designed to make these failure modes very unlikely. 
However, these types of failures are still possible. For 
this analysis, a conservative failure rate of 1 . 0 x 10’^ per 
hour is used. The failure rate for the bus element is thus: 

2 = 2(cont)^ + Q(bus) 

= (1.0 X lO’** + 1.0 X 10-5 

= 1.001 X 10-5 

The failure rate is essentially the rate for the bus itself 
with almost no contribution from the failure rate of the 
controllers. The sensitivity of the system unreliability to 
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this failure rate number and the design decision to use dual 
controllers is discussed a little later. 

The order in which the elements are incorporated into the 
analysis follows much the same pattern as for the dedicated 
link system. However, now two different types of elements 
and dependancy are important. The state of the bus must be 
determined before any of the elements attached to that bus 
may be considered. The order chosen for this analysis is 
bus 1, actuator channels 1 and 3, bus 6, and actuator chan- 
nels 10 and 12. Other elements are added in a similar se- 
quence until all elements are included, with the appropriate 
bus accounted for before the attached actuator channel can 
be considered operational. 

The equation diagram and the results of the analysis are 
shown in Figure 22. The entire diagram is given for com- 
pleteness. It will only be necessary, however, to review 
several of the branches in the upper left hand corner to 
learn the nature of the failure process for this system con- 
figuration and assess the results. The diagram is developed 
by entering the codes for bus 1, then actuators 1 and 3, 
followed by bus 6 and actuators 10 and 11. At this point, 
the pitch control function is assured and an unreliability 
of 0 is entered. The next state considered is actuator 
channel 12 failed passively with the earlier elements still 
good. To determine the success of the system, channel 11 
must not be failed actively. This channel does not have to 
be working since channel 10 is already good, thus bus 5 does 
not have to be considered. However, when channel 12 is 

failed actively, bus 5 and actuator channel 11 must be add- 
ed, as shown in the diagram at location 8,6. For a complete 
failure of surface 4; bus 3, actuator 5, bus 2, and actuator 
4 are added, starting at location 9,4. Location 9,4 is the 
point in the diagram that corresponds to the system state 
that includes the active failure of actuator channel 12. 
This same sequence is also used for the other states, which 
result in the failure of the channels 10-11-12 actuator sys- 
tem. The result of the sequence is transferred to the other 
places where it is needed, as shown by all of the 9,4’s in 
rows 7, 8, and 9. A similar process is continued until the 
entire diagram is complete. 

The results of the analysis prove that the requirements 
are comfortably met when all elements are working at the be- 
ginning of the 10 hour flight. The reliability drops sig- 
nificantly, but the requirements are still met if a bus is 
bad at the beginning of the flight. This result is shown at 
location 3,4, the conditional unreliability of the system, 
given that bus 1 failed. In fact, the requirements are met 
when one entire surface is failed, as shown at location 9,4. 


Figures 23 and 24 show the sensitivity of the system un- 
reliability to changes in the failure rate for the bus. 
These figures give only the upper left hand part of the to- 
tal diagram, which sufficiently shows the results. Figure 
23 is for a bus failure rate of 1.0 x 10’^ per hour. The re- 
liability is not signficantly improved. Figure 24 is for a 
bus failure rate of 1.0 x 10"**, corresponding to the case 
where the backup controller is eliminated. The reliability 
still meets the requirements, but is almost two orders of 
magnitude worse. 


6.2. 1.3 Mesh Network System 

A diagram of the critical parts of a network system in- 
volved in the pitch control function is shown in Figure 25. 
The analysis of a system that uses a mesh network is signif- 
icantly more complex than the analysis of the previous sys- 
tems. Numerous combinations of failures within the network 
that can be sustained before a communication failure will 
cause the loss of a critical function. The analysis of a 
complete system, such as the one shown in Figure 10, would 
be very complex and beyond the scope of this study. A sim- 
plified system can be defined, however, that adequately rep- 
resents the full system for the purpose of this comparative 
analysis. The analysis is considerably more involved than 
it was for the previous two systems although it can be per- 
formed . 

The system is simplified by including only those elements 
directly involved in the pitch control function. This sim- 
plification is performed by assigning those nodes interfaced 
to the servo electronics to adjacent positions, that are 
also adjacent to the ports in the central computer system. 
The rest of the system is then deleted and the affected 
links joined together. The resulting system is shown in 
Figure 2 6 . 

This system is a conservative simplification since it 
will have a lower reliability than the original system for 
two reasons-* First, if the nodes servicing the servo elec- 
tronics are not placed in adjacent positions, the number of 
failures required to isolate particular channels will be 
considerably greater and thus less probable. Second, by 
eliminating other nodes from the analysis, alternate paths 
that could have compensated for failed nodes or links are 
now unavailable. The appropriateness of this simpif ication 
can only be judged after the results of the analysis are 
available. If these results show that communication fail- 
ures do not significantly contribute to the failure of the 
critical function, then the simplification is successful. 
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Figure 23: Multiplex Bus System with the Bus Failure Rate 
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Figure 24: 


Multiplex Bus System with the Bus Failure Rate 
Increased by a Factor of 10 
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Figure 25: Network System for Pitch Control 
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Figure 26: Simplified Mesh Network System 


The netuork system is partitioned into three elements: 
One of the elements is the actuator channel/ as also seen in 
the previous system configurations. The netuork itself is 
divided into tuo elements: One is the core of the communi- 

cation node and the other is the link betueen nodes, or be- 
tueen a node and the computer system. This division is nec- 
essary since a node can be used after a link to that node 
has failed by using an alternate path through other links 
and nodes still operating. The link element includes all of 
the interface circuits unique to that link on both ends, 
plus the wire and connectors in between. The node element 
includes all of the equipment common to all paths through 
that node. This partitioning is shown in Figure 27. 

The actuator element has the same failure modes and the 
same probabilities as in the previous system. The node and 
the link are assumed to have only one failure mode, with a 
failure rate given by: 

node 2.0 x 1 0 ’ 
link 1.0 X 10“ •• 


The order in which the elements are included in the anal- 
ysis begins with a node that has a potential link to the 
computer system. The node must be good before any links to 
that node can be used. Also, a sequence of good elements 
must be established between the computer and the element in 
question. The next element after the node is the link from 
that node to the computer. Then, the actuator channel at- 
tached to that node is added. This pattern continues until 
enough good elements assure the operation of the pitch func- 
tion. When an actuator channel fails, a similar strategy to 
the previous analysis is followed. When a link fails, al- 
ternate paths are added. 

Part of the equation diagram, and the computed unreli- 
ability, are shown in Figure 28. The upper left hand corner 
of this diagram sufficiently illustrates the failure charac- 
teristics of the system and provides enough information to 
compare to other systems. The computer program used to per- 
form this analysis is an older version that does not present 
the results in as readable a format. Therefore, lines have 
been added to show how the branches relate. The nodes are 
represented by the letter N, then by a number to designate 
which node, followed by a G for good or an F for failed. 
The links are represented by an L, plus either a C (for com- 
puter) and/or numbers to designate what two ports are con- 
nected by the link. Again, a G or F show whether the link 
is good or failed. The actuator is represented by A with a 
number, plus either G for good, S for passive (soft) fail- 
ure, and F for active failure. 
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Partitioning of Network System Elements 
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The results in Figure 28 show that the system easily 
meets the requirements. The results given in this figure 
are in a different format from the previous analyses. The 
number at the top of the diagram is the unreliability of the 
total system after 10 hours of operation. The number under 
each symbol is the unreliability, given the state of the 
system as defined by the state of the elements on the branch 
down to that symbol. For example, the first number on the 
second line under NIG is the unrelibility of the system, 
given that node 1 is good. The second number on that line 
is the unreliability of the system, given node 1 is failed. 
The 0 on line 13 means that the system state defined as good 
by the 12 elements in the first column assures the success 
of the function. 


The res 
quirements 
The result 
one node i 
on line 3 . 
ments can 
either pas 
that the r 
of one sur 


ults given in this figure also show that the re- 
are met when any one element is initially failed, 
on line 2 show the requirement is easily met when 
s failed and likewise for a failed link, as shown 
The results on line 4 indicate that the require- 
also be met when an actuator channel has failed, 
sively or actively. The results under A8F show 
equirements can be met after the complete failure 
face, but only by a narrow margin. 


The contribution of the network communication structure 
to the unreliability of the system can be estimated by ob- 
serving several of the results shown in the diagram. First, 
a significant drop in reliability by two orders of magnitude 
is seen when node 1 fails. This drop in reliability is pri- 
marily due to the loss of the use of the actuator channel 
connected directly to that node, rather than an indication 
of the reliability of the communication system itself. This 
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fact can be determined by observing the results on line 4. 
The unreliability of the system, given that actuator channel 
1 is failed -passively , is almost as large as the unreliabil- 
ity with node 1 failed, confirming that the loss of the ac- 
tuator channel is the major component in the unreliability 
with the node failed. 


Line 3 shows a more direct measure of the contribution of 
the communication system to the unreliability of the system. 
The unreliability of the system with the link from the com- 
puter to 1 failed is no greater than with this link good, 
illustrating that the failure of the link makes no contribu- 
tion to the unreliability of the system. This same result 
is observed by comparing the unreliability of the system 
with a link good to that same link failed for all of the 
other links shown in Figure 28. These results show that the 
network communication structure makes an insignificant con- 
tribution to the unreliability of the system. This result 
also confirms that the simplif ications made in the system 
are legitimate. The complete system would have only added 
more alternate paths to replace a failed link. Since the 
failure of links makes an insignificant contribution to sys- 
tem unreliability , additional redundancy is unnecessary. 


6 . 2 . 1 . 4 Local Bus 

The configuration of the system using the local bus is 
logically identical to the multiplex bus configuration. In 
both cases, there are two controllers each for six buses. 
There are also servo electronics for two different actuator 
channels on each bus. Most probably, the failure rates for 
the elements will vary, although the direction of the dif- 
ference is not obvious. The complexity of the local bus 
controllers and terminals are expected to be simpler. The 
local bus requires many more wires so that the failures, 
from such causes as connector failures, will be greater. An 
extensive analysis of a particular system design is neces- 
sary for a definitive comparison. 


6.2.2 Other Conficrurations 

The reliability analysis of most of the communication al-. 
ternatives for the three location configuration and the em- 
bedded configuration, have the same form as the corre- 
sponding alternative for the one location configuration. 

The failure rates of the elements may vary, particularly be- 
cause of the greater distances involved. Again, only a de- 
tailed analysis of a particular design could produce any 
quantitative difference. However, the essential purpose of 
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6.2.3 


Summary of Reliability Results 


The reliability of all 
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level of reliability is s 
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more optimized design for 
reliability margin somewh 
However, this high level 
that maintenance interval 
reliability increased, 
not to perform a detailed 
system alternatives with 
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established, the alterna 
best achieves the require 
this chapter is a part of 
led to the alternatives d 


the candidate communication struc- 
same level of reliability. This 
ignificantly greater than necessary 
failed initially. Most likely, a 
an actual system would reduce the 
at and produce savings in hardware. 

of redundancy may be retained so 
s can be extended and/or dispatch 
Yet, the purpose of this study is 
design of a system, but to create 
essentially equivalent levels of 
equivalent levels of reliability 
tives can be compared to see which 
ments . In fact, the analysis in 
the iterative design process that 
escribed in Chapter 5. 


6 . 3 SYSTEM CAPACITY ANALYSIS 

The requirement for the actual data rate capacity is giv- 
en in Chapter 3. The total requirement is 155K data bits 
per second. The one location system configuration described 
in Chapter 4 requires a total throughput of 1 8K 16 bit words 
per second to produce the required data. The data through- 
put required is thus 288K bits per second. The basic trans- 
mission rate assumed for the communication links for each 
candidate is 1 MHz. This rate is based on the soundest 
technology and is consistent with MIL-STD- 1 55 3B . This rate 
can be supported by twisted shielded wire, avoiding the the 
problems and expense of broader bandwidth wire, such as co- 
axial cable . 

The dedicated link system can easily meet the capacity 
requirements. Each link can be used independently (unless 
constrained by the use of shared equipment in the central 
computer, which is assumed not to be the case in this 
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study). The data rate capacity is thus judged by how well 
the requirements are met for the link with the greatest 
rate. The link with the greatest requirement can thus be 
easily met. The protocol overhead for a dedicated link is 
minimum, so the 1 MHs rate is more than adequate and could 
be reduced if desired. 

The multiplex bus system can also easily meet the capaci- 
ty requirements. With a total of six buses, units are as- 
signed to the buses in a way that balances the communication 
load. The data rate requirement for each bus is thus ap- 
proximately a 72K bit rate. The protocol overhead for a 

multiplex bus is much greater than the dedicated link. In 
the worst case, the multiplex bus is expected to be 45% ef- 
ficient. Thus, a 1 MHs bus will easily meet the require- 
ments . 

The network can also fulfill the capacity requirements, 
although the margin may be less depending on the mode of op- 
eration of the network. The worst case is that the network 
operates as a single logical bus. The overhead will be the 
same as the multiplex bus system, except during network re- 
configuration. Presumably, reconfiguration seldom happens 
and can be accomplished in a short enough time that it has 
no effect on critical functions. Thus, the capacity re- 
quirements can be met in this worst case configuration. Un- 
fortunately, there is little flexibility for growth. This 
problem can be alleviated either by using dedicated links 
between nodes with high da*ta rate requirements, or by organ- 
izing the network as more than a single logical bus. 


6 . 4 COMPARISON OF CANDIDATES 

The previous sections established that the systems em- 
ploying the candidate communication techniques have equiv- 
alent levels of reliability and capacity. The systems can 
now be compared to see which best meets the requirements. 
However, to establish firm quantitative distinctions between 
these alternatives is impossible without the detailed design 
of each system. Ne ver theless , some general observations can 
be made to aid in making effective choices at the beginning 
of a system design effort. 

Several of the advantages and disadvantages of each can- 
didate have already been discussed in Chapter 5. These com- 
parisons are summarized for the candidate systems for the 
one location configuration. This comparison will also gen- 
erally apply to candidate systems for the three location 
configuration because they have similar characteristics. A 
trade-off is unnecessary for the embedded system since, in 
this study, the mesh network is considered to be the only 
likely candidate for this configuration. 
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The effectiveness of the candidate systems for the one 
location configuration can be compared using several differ- 
ent criteria. Some of these criteria are initial develop- 
ment costs# production costs# maintainability# availability# 
flexibility# and technical risk. Most of these factors can 
eventually be resolved in terms of the total life cycle 
costs. The initial development and production costs along 
with much of the maintainence costs# will primarily depend 
on the amount and complexity of the hardware. Lack of flex- 
ibility will require greater costs when future modifications 
must be made to the system. Higher technical risk gives the 
probability of higher costs when technical problems must be 
solved# or replacement equipment must be utilized. 

The comparison of development and production costs based 
on complexity can be estimated quantitatively# with the oth- 
er standards compared only qualitatively. 


6.4.1 Comparison of System Complexity 


The complexity of the communication system can 
pared by looking at the equipment required to pro 
basic interface at the using terminals. To form 
basis for comparison# each unit connected to the c 
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The multiplex bus interface becomes substantially more 
complex since it has all of the components of the dedicate 
bus# plus the additional functions required to operate in 
multiplex environment. These additional functions include 
responding only to a particular address, recognizing com- 
mands from the bus controller, and generating the proper 
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status uord in response. The timing restraints will be 
considerably tighter since any delay in response will create 
a penalty for the entire system. These timing constraints 
are likely to be too tight to meet without dedicated hard- 
ware. Also, data buffering will probably be needed for en- 
tire outgoing and incoming messages. The complexity is thus 
estimated to be 3 times the dedicated bus interface. 

The mesh network system will be the most complex, having 
to service three multiplex links. Some of the control and 
data buffering can be shared. However, a limited ability to 
simultaneously monitor all buses will be required for recon- 
figurations to be made after failures. Additional control 
logic must be included for the node to respond to the com- 
mands that configure the mesh. The resulting equipment is 
thus expected to be 5 times as complex as the local bus . 


The local bus is already in a form that is close to the 
internal bus in the terminal unit. The bus is not likely to 
be identical, however. There will thus be some logic cir- 
cuits necessary to convert the signals into the correct 
form. Bidirectional three state buffers will be required on 
most of the lines. The number will be a function of the de- 
sign of the local bus. For example, the number will be less 
if data and address are multiplexed on the same lines. Data 
storage buffers may also be required if the terminal unit 
cannot respond within the timing requirements of the local 
bus. Particular care must be taken to assure that the fail- 
ure modes of the interface that would disrupt communication 
on the bus have very low probability. Extra hardware may 
thus be required to reduce the probability that a unit can 
put a high or a ground on any of the bus lines, primarily 
because of the circuits required to support the large number 
of lines, the local bus interface is expected to be 2 times 
as complex as the dedicated bus interface. 


The comparative complexity of the candidate systems can 
now be estimated by multiplying the number of interfaces by 
the complexity factor for each case. The interface at the 
central computer system for the dedicated link system is as- 
sumed to be essentially the same as the interface at the re- 
mote unit. The total number of interface circuits is thus 
twice the number of units. The bus controller for the mul- 
tiplex bus system is assumed to be approximately 50% more 
complex than the interface in the remote unit. Since there 
are 12 controllers, one primary and one backup for each bus, 
there are an equivalent of 18 interfaces. The interface at 
the computer for the network is assumed to be the equivalent 
to two nodes since each node has three ports, giving the six 
ports assumed for this system. The controllers for the lo- 
cal bus system are assumed to be twice as complex as the in- 
terface in the remote unit. Since there are 12 controllers, 
this is equivalent to 24 interfaces. The results are corn- 
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bined to form an index that gives an approximate total 
measure of the complexity of the alternative systems. These 
results are summarized in Table 27. 


TABLE 27 

Summary of Estimated Relative Complexity 


SYSTEM 


REMOTE 

COMPUTER 

TOTAL COMPLEXITY 

COMPLEXITY 

TERMINALS 

INTERFACE 

FACTOR 

INDEX 

(NUMBER) 

(EFFECTIVE 
NO . OF TERM . ) 




DEDICATED 92 92 184 

LINKS 


184 


MULTIPLEX 92 18 

BUS 


100 3 


300 


MESH 92 2 

NETWORK 


94 5 


475 


LOCAL 

BUS 


92 ^ 


24 


116 2 


232 


*N0TE: THIS NUMBER INCLUDES THE REMOTE TERMINALS WHICH CANNOT 

ACTUALLY BE SERVICED BY THE LOCAL BUS. A DEDICATED LINK 
IS ASSUMED FOR THESE INTERFACES WITH ESSENTIALLY THE 
SAME COMPLEXITY. 


6 . 5 SUMMARY COMMENTS ON TRADE-OFF ANALYSIS 

The relative complexity will be a major factor in deter- 
mining which communication structure is best for a particu- 
lar application but it will not be the only factor. The 
complexity will be important since it will have a major in- 
fluence on the initial and support costs. The significance 
of complexity will decrease with time, however, with the in- 
troduction of special purpose VLSI circuits. When these 
circuits are produced in high quantities, the advantages of 
a more complex system can be obtained at little additional 
cost. Other factors, such as flexibility and technical 
risks, may outweigh strict cost consider ations in some cas- 
es . 


The dedicated bus system is not likely to be the most ef- 
fective choice for any very large system because of the awk- 
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wakdness and inflexibilty of the interface at the central 
computer system. The wiring installation in the aircraft 
will also require a large amount of wire and be difficult to 
modify . 

The multiplex bus system has the greatest current accep- 
tance. It provides a reasonable amount of flexibility and 
installation efficiency. The difficulty of designing a re- 
liable and efficient bus will become harder as more units 
are attached to the bus. The bus will also become more 
vulnerable to failure and damage when it attempts to support 
units distributed throughout the aircraft. 

The network system is currently more complex than the 
other alternatives. However, as the technology becomes 
available to implement the node with VLSI technology, there 
is likely to be a shift from a multiplex bus to a network 
system to avoid the problems of designing a very large and 
flight critical multiplex bus system. 

The use of a local bus system will depend largely on what 
trends develop in the architectural design of large, highly 
integrated systems. If a modular system emerges and if 
these modules are packaged as individual line replaceable 
units within environmentally controlled compartments, the 
local bus is likely to be the most effective communication 
structure within those compartments, particularly since it 
can support a much higher data rate than serial buses can. 
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Chapter 7 


CONCLUSIONS AND RECOMMENDATIONS 


This study contributes to the technology base necessary 
for the development of effective avionic communication sys- 
tems . A general study such as this cannot recommend a uni- 
versally preferred communication structure. The best choice 
for a particular system must be the product of an analysis 
of the requirements, oppur tunities , and constraints of that 
particular situation. This study does discuss, however, 
some of the factors involved in choosing the best communica- 
tion technique and also provides some of the necessary de- 
sign and analysis tools. 
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This study concludes that the best choi 
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The conclusion for future systems, where equipment is 
.distributed throughout the aircraft, is that a mesh network 
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is most effective. Cost effective, integrated circuit 
technology is predicted to be available to perform the com- 
plex operations required in extreme environments. The net- 
work will be an efficient solution for meeting the problems 
that would be encountered in designing a multiplex bus sys- 
tem that supports critical functions throughout an aircraft. 
It will be difficult and cumbersome to design a multiplex 
bus system for these long and exposed distances to meet the 
reliability requirements for life critical functions in the 
presence of the inevitable failure and damage hazards. The 
inherent characteristics of the network provide effective 
techniques for containing these hazards. The primary disad- 
vantage of complexity will diminish with the development of 
the new technology. 

Extensive research is needed to provide all the technolo- 
gy necessary for developing the communication structure for 
highly integrated avionic systems. One area of research re- 
commended for the next generation aircraft is further study 
of the communication techniques within an avionics compart- 
ment. Current multiplex buses, such as MIL-STD- 1 553B , are 
designed for longer distances and do not have the simplicity 
and throughput appropriate for communication between modules 
within a relatively small compartment. On the other hand, 
the system buses developed in the commercial industry re- 
quire a large number of connections and may be difficult to 
make fault tolerant. Some compromise between these two con- 
cepts may be appropriate. A thorough study is necessary to 
arrive at that compromise. 

In the longer term, more work is recommended on network 
communication concepts. Work is needed particularly to de- 
velop the technology that will provide the necessary func- 
tions cost effectively in a severe environment. Additional 
work is also needed to develop the design tools and guide- 
lines for effectively constructing the network comf igur ation 
within an aircraft. 
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APPENDIX A 


PHYSICAL DAMAGE HAZARDS TO FLIGHT 
CRITICAL ELECTRONIC EQUIPMENT 


I. Introduction 

Advanced electronic flight control equipment is being developed 
to perform increasingly flight-critical functions. These functions are 
becoming integral parts of the basic aerodynamic and structural designs 
of aircraft, thereby creating control-configured vehicles (CCV) . 
Electronic equipment is also providing the basic connection between the 
pilot controls and the aerodynamic control surfaces, replacing 
mechanical linkages to give fly-by-wire systems. 

In commercial aircraft, these advanced avionic systems must meet 

the Federal Aviation Regulations, which state that it must be extremely 

improbable that a system failure cause a catastrophe. VThere numerical 

analysis is appropriate , "extremely improbable" is interpreted as a rate 
-9 

of 10 per hour or per flight. These systems are becoming so critical 
to safe flight that a complete failure is almost certain to be catas- 
trophic. Thus the required functional failure rate for the systems is 
10 ^ per hour. 

Electronic components inherently have much too high a failure 
rate to provide the required reliability. This problem has been 
attacked by building redundant systems that are tolerant to individual 
electronic failures 'by using techniques to detect and identify failures 
and reconfigure the system to allow continued operation. Advanced 
systems are being developed which give reasonable confidence that they 
can provide the required functional reliability in the presence of 
random failures. 

The success in solving the problem of random failures has 
significantly increased the relative importance of other hazards. Other 
hazards such as damage and design faults have been considered suf- 
ficiently unlikely so that they could be realistically ignored in the 
past. However, dramatic reductions in primary failure rates and 
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lowering failure rate requirements have made it necessary that other 
types of hazards be carefully considered. They could become the 
dominant contributors to the total failure rate. The hazard of 
particular concern in this discussion is physical damage. 

Physical damage can result from collision with other aircraft, 
birds, collision with the ground or other stationary objects, excessive 
aerodynamic loads due to abrupt maneuver or turbulence, explosion 
(terrorist or accidental) , massive failure of engine or other equipment 
such as air conditioning turbine including effect of parts thrown out, 
loose objects such as cargo, and damage due to rapid decompression. Fire 
can result from many of the same causes plus massive failure of 
electrical and electronic equipment, cargo fires, accidental trash fire 
such as a cigarette in a waste container, etc. Physical damage would 
also include liquid damage due to fuel, hydraulic, galley, and toilet 
leaks . 

Physical damage to the flight control system has been involved 
in the two worst single aircraft accidents. The Turkish DC-10 
ultimately crashed because of lack of pitch control due to damage to 
the control lines under the floor. Preliminary reports df the American 
DC-10 indicate that a major contributor to the ultimate loss of control 
was the retraction of the leading edge flaps due to damage to the 
hydraulic lines or control lines. 

In order to begin to accoxint for the damage hazard, it is 
necessary to establish some measure of the rate of damage events and 
estimate the effects they are likely to have on electronic equipment. 
This paper is intended to be a first step toward estimating these rates 
and effects. 

II. Method of Estimating Dcimage Hazard Rate 

The method used here for estimating damage failure rate is based 
on a survey of all U.S. air carrier accidents from 1964 through 1977. 

The initial survey was done using the briefs of accidents in the Annual 
Reviews of Aircraft Accident Data published by the National Transporta- 
tion Safety Board (NTSB) . For selected accidents, the complete 
accident file or report was reviewed at the NTSB offices in Washington, 
D.C. 

The electronic system assximed for this study involves electronic 
units contained primarily in bays within the fuselage with some 
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electronic equipment contained in other areas including the wing, the 
tail, and on the engines. These electronic units are assumed to be 
interconnected with a communications system. It is assumed that normal 
practice has been used in installing this equipment, and that no 
extraordinary steps were taken to avoid physical damage. 

For each accident, a determination was first made on whether 
damage to the electronic system could have contributed to an accident. 
Two classes of accidents were eliminated; those where it was judged to 
be very unlikely that any part of an electronic system would be damaged, 
and those where the results of the accident would be the same whether 
the electronic system was damaged or not. 

For each of the remaining accidents, rough estimates were made 
in three categories; the probability that at least one cable containing 
a communication line or communication terminal was damaged, the 
probability that more than one line or terminal was damaged, and the 
probability that one particular area in the forward avionic bay was 
damaged which could correspond to a system controller. 

These estimates were based primarily on the limited amount of 
information available in the briefs of accidents in the NTSB reports. 

In a few cases these estimates were reviewed and refined by the 
complete accident report file which contained pictures of the damage 
in many cases. 

III. Estimates of Damage Hazard Rates 

The time period 1964 through 1977 produced 771 accidents for 
U.S. air carriers including the certificated route carriers and supple- 
mental carriers. This represents a total flying time of approximately 
83 million hours. 

Of these accidents, 58 were judged to be ones where damage to a 
flight critical electronic system could have been a factor. For each 
of these accidents, estimates were made of the probabilities in each 
category that the electronic system would be damaged. Detailed reports 
were reviewed for nine accidents (see Table I) . These detailed reviews 
led to revision of the estimates in some cases but in general confirmed 
the original numbers. 

The damage probability estimates are given in Table II. These 
probabilities are then summed and divided by the total flight hours to 
give the estimate of the damage hazard rate. The results arer 
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I 


1 


I 

I 


1. Damage rate to at least one communication line 

-7 

in the system 2x10 /Hr 

2. Dcunage rate to two or more communication 

lines 6x10 ®/Hr 

3. Damage to one particular unit in the forward 

-9 

avionic bay 4x10 /Hr 

IV. Conclusions 

The damage hazard rates estimated here are not intended to be 
definitive. Because of the limited amount of information available for 
the preliminary study, the rates may be in error by as much as an order 
of magnitude in either direction. One potentially significant soxirce 
of damage hazard which was not considered was incidents which might 
have caused damage but were not severe enough to be reported to the 
NTSB as an accident. 

These preliminary estimates do indicate, however, that physical 
damage can be a significant failure mode for advanced electronic flight 
control equipment in a commerical airplane. It is recommended that 
more work be done to improve the estimates of the damage rates and that 
damage be included in any failure analysis of any flight critical 
electronic system. 


! 
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TABLE I 


DETAILED ACCIDENT REPORT REVIEWED 


DATE LOCATION AIRLINE AIRCRAFT ACCIDENT TYPE 

Jan. 9 , 1979 Newark American B-707 Collison, Mid-Air 

Substantial damage to No. 1 engine ^ nacelle/ strut/ and lead- 
ing edge of wing out board of No. 1 engine. 

July 30/ 1979 San Pan AM B-747 Collison/ Landing 

Franciso Lights 

Fuselage pierced by multiple steel beams. Landing gear forced 
up into cabin. Damage bulk head. Three of four hydraulic 
systems lost. 

Nov. 3/ 1973 Boston Pan AM B-707 Fire 

Chemical fire in cargo producing dense smoke. Little actual 
damage to aircraft equipment. Factor in accident was loss of 
yaw damper inadvertently turned off because crew thought fire 
was from electrical equipment. 

Nov. 3/ 1973 New Mexico National DC-10 Engine Explosion 

Engine disintegrated probably due to crew experimenting with 
auto throttle. Numerous punctures in fuselage. Power lines 
cut. Two of three hydraulic systems damaged. Control cables 
in tail severed. 

Feb. 4/ 1975 Miami Eastern B-727 Fire 

Missing clamp caused rubbing between wire and hydraxilic line. 
Power wire arched through hydraulic line causing fire. 

Sept. 8/ 1975 San Juan American B-747 Structure 

Flap separated. Punctured fuselage/ broke windows/ dented 
horizontal stabilizer. 
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TABLE I (CONT.) 


DATE 


LOCATION 


AIRLINE 


AIRCRAFT 


ACCIDENT TYPE 


Sept. 20, 1975 JFK Airlift DC-8 Collison, Landing 

Inter. Lights/ILS 

Fuselage punctured, pressurization valve damaged, wheels 
damaged, anti-skid junction box damaged. 


June 1, 1976 


Kansas 


TWA 


L-1011 


Fire 


Small hydraulic leak created mist which was ignited by elec- 
trical arc. Fire destroyed all electrical cables and 
hydraulic lines in compartment. 


Sept. 3, 1977 


Tuscon 


Continental B-727 


Wind shear on take-off. Hit power lines, 
wing root, engine cooling. 


Collison, Power Lines 
Damaged wings. 
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TABLE II 


ESTIMATES OF 

POTENTIAL DAMAGE 

TO ELECTRONIC 

SYSTEMS 




ESTIMATED PROBABILITIES 


TYPE OF ACCIDENT 

ONE LINE 

MORE THAN 

ONE 

LOCATION 


DAMAGED 

ONE DAMAGED 

DAMAGED 

1964-1969 





Engine 

.05 

- 


- 

Fire 

.2 

.1 


.03 

Fire 

.5 

.1 


- 

Fire 

.1 

.01 


- 

Engine 

.0 

.3 


- 

Collision, Mid-air 

.8 

.2 


.01 

Collision, Mid-air 

.8 

.2 


.01 

Engine Fire 

.5 

.05 


- 

Engine 

.1 

- 


- 

Hail 

.05 

.01 


- 

Hail 

.05 

.01 


- 

Bird 

.05 

.01 


- 

Lightning 

.1 

.05 


- 

Bird 

.05 

.01 


- 

Collision, Trees 

.1 

- 


- 

Engine 

.1 

- 


- 

Engine 

.1 

- 


- 

Engine 

.05 

.01 


- 

Structure 

.3 

.1 


- 

Engine 

.1 

- 


- 

Fire 

.3 

.1 


.01 

Fire, Electrical 

.3 

.1 


.01 

Fire 

.3 

.03 


.005 

Mid-Air 

.5 

.1 


.005 

Collision, TV Tower 

.05 

- 


- 

Engine 

.3 

.1 


- 

Collision, Mid-Air 

.05 

- 


- 

Collision , Mid-Air 

.6 

.2 


.05 
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TABLE II (CONT.) 


ESTIMATED PROBABILITIES 


TYPE OF ACCIDENT 

ONE LINE 
DAMAGED 

MORE THAN 
ONE DAMAGED 

ONE LOCATION 
DAMAGED 

1970-1972 

Engine 

.1 

- 

- 

Lightning 

.4 

in 

o 

• 

- 

Engine 

in 

o 

• 

- 

- 

Collision^ Mid-Air 

.6 

.05 

.005 

Collision y Landing Lights 

-9 

.6 

.05 

Fire 

.4 

.1 

.01 

Engine 

.2 

- 

- 

Bird 

.6 

.1 

.05 

Structure / Decompression 

.8 

.5 

- 

Engine 

.1 

- 

- 

Fire 

.1 

• - 

- 

Engine 

1973 

.3 

.02 


Engine 

.9 

.5 

.01 

Fire 

.2 

.01 

- 

Engine 

.3 

.05 

- 

Fire 

.6 

.1 

.01 

1974 

Fire /Engine 
Structure 

in 

O H 

• • 

- 

- 

Engine Cowl 

.3 

.1 

- 

Hail 

.1 

.03 

- 

Bomb 

.06 

.02 

.005 

1975 

Fire 

.4 

.05 

.005 

Engine 

.2 

.05 

- 

Control Surface 

.1 

- 

- 

Collision, ILS 

.2 

.05 

- 
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TABLE II (CONT.) 



ESTIMATED PROBABILITIES 

TYPE OF ACCIDENT 

ONE LINE MORE THAN ONE LOCATION 

DAMAGED ONE DAMAGED DAMAGED 

1976 

Fire 

.9 .5 .05 

Engine Fire 

.1 .01 

Engine 

.5 .1 

1977 

Collision, Power Lines 

.1 .05 


TOTALS 

17.3 4.8 .33 

TOTAL FLIGHT HOURS 

83.06 X 10^ 

DAMAGE RATE/HOUR 

2.1x10”^ 5.8x10"® 4.0xl0“® 
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Appendix B 



ACRONYMS 

AB 

avionics bay 

ADDCS 

Analog and Discrete Data Conversion 
System 

ADF 

automatic direction finding 

AEEC 

Airline Electronic Engineering Commit 
tee 

APU 

auxilary pouer unit 

ARINC 

Aeronautical Radio, Inc. 

ATC 

Air Traffic Control 

CP 

cockpit 

CRT 

cathode ray tube 

DABS 

Discrete Address Beacon System 

DADS 

digital air data system 

DITS 

digital information transfer system 

DME 

distance measuring equipment 

GPS 

Global Positioning System 

HF 

high frequency 

ILS 

instrument landing system 

LRU 

line replaceable unit 

LSI 

large scale integration 

LVDT 

linear variable differential trans- 
former 

MCU 

modular concept unit 

modem 

modulator/demodulator 
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MTBF 

NIC 

NTSB 

VHF 

VLSI 

VOR 


mean time between failures 

New Installations Concept 

National Transportation Safety Boar 

very high frequency 

very large scale integration 

VHF Omni range 
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